Like the speaker you mentioned, all of our certificates are stored with the backup but password protected

However All of our passwords are stored using KeyPass (the keypass file is stored as well)

Access to the keypass is via a key file that is generated by the software itself based on random mouse movements. As a minimum, there are 3 copies of the key file. One is on me, One is in the fire safe at work, one is in a bank vault. Access to the latter 2 is controlled and reported to me if used.

The Encrypted Keypass file itself has Windows auditing turned on so that any access to the file is monitored.

But that's just how we do it 😀