Genuine question: what's your thread model?
Vault gives time limited Tokens with Network Boundary. Instead of Keeper, i would just use age:
# write
echo "my secret" | age -r <recipient-pubkey> > secret.age
# read
age -d -i key.txt secret.age
https://git.eeqj.de/sneak/secret
This is an age+filesystem secrets manager that I made that is basically what you wrote, but with more organization.
not when you need an audit system
True, but AFAIK an audit system is worthless if it resides on the same potentially compromised machine, no?