[rancher-compose] hide/encrypt contents of --env-file

The --env-file option for rancher is very handy however I’m looking for a way to encrypt/secretly store sensitive variables such as AWS keys.

I would be keen to hear how some people have achieved this ? I know one option is to use a CICD and store environment variables in there however it doesn’t give a clear visibility of what env vars each compose needs.

Ideally an integration with GPG would be magic.