We do not store secrets or api keys as-is in the database instead we use a form of secret management system, we currently support a few which will be listed before. Our source code is 100% public and you can view the implementations on Github. We also deploy the exact version on Github to our prod servers without any modification whatsoever. Our deployment can be found on github too
There currently isn’t a migration process from one provider to another but it is something we might explore in the future. Which is also why we have chosen to support only the most reliable and popular managers

AES

We highly recommend this as it does not require you to set up another infra
While this is not a secret manager, aes-gcm encrypts your data before being stored in the database. 
MALAK_SECRETS_PROVIDER=aes_gcm
MALAK_SECRETS_AES_KEY=ujffjkfk
You can generate you aes_gcm key with LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32; echo

Hashicorp Vault

MALAK_SECRETS_PROVIDER=vault
MALAK_SECRETS_VAULT_ADDRESS=ujffjkfk
MALAK_SECRETS_VAULT_TOKEN=ujffjkfk
MALAK_SECRETS_VAULT_PATH=ujffjkfk

Infisical

MALAK_SECRETS_PROVIDER=infisical
MALAK_SECRETS_INFISICAL_CLIENT_ID=ujffjkfk
MALAK_SECRETS_INFISICAL_CLIENT_SECRET=ujffjkfk
MALAK_SECRETS_INFISICAL_SITE_URL=ujffjkfk
MALAK_SECRETS_INFISICAL_ENVIRONMENT=ujffjkfk

AWS Secrets Manager

MALAK_SECRETS_PROVIDER=secrets_manager
MALAK_SECRETS_SECRETS_MANAGER_REGION=eu-west-2
MALAK_SECRETS_SECRETS_MANAGER_ACCESS_KEY=jgkjfk
MALAK_SECRETS_SECRETS_MANAGER_ACCESS_SECRET=jgkjfk
MALAK_SECRETS_SECRETS_MANAGER_ENDPOINT=eu-west-2