Ive made different solution for my Laravel projects, saving them to the db encrypted. So the only thing living in the .env is db settings. 1 unencrypted record in the settings table with the key.

Won't stop any seasoned hacker but it will stop the automated scripts (for now) to easily get the other keys.