Securing Passwords in a Multi-Dev nginx setup

Using permissions, you could do something like:

1) give one developer a user

2) chown every folder under /var/www/ to user www-data, and a specific group for that site, something like: /var/www/site-a www-data group-a /var/www/site-b www-data group-b etc.

3) chmod every directory (and all subdirectory and files with -R) to 770

4) add each developer to every group for which he is actually developing.

A different approach, as I mentioned in a different answer, would be to to provide the crypto keys via an API, when an application asks for it.

Your strusted devs would then query the API with a unique key to get the relevant credentials. The key can be mapped to a set of credentials (for devs on several projects).

If you protect the API either via a client certificate or IP filtering you will reduce the risk of data leak (if the access key is lost, you still need to be in the right network or to have the certificate to access the API). I would favor the certificate if you trust the developers (per your comment).

Simplest solution is to run your application that manages the credentials and hands them out to the developers from a different instance of the webserver (obviously listening on a different port) and then you can run that instance as a different user and tighten down the permissions so only that user has access to the secret files it needs.

But create an additional user, don't run it as root.

Under apache I'd point to suexec or suPHP. But since you don't use apache, that's not an option for you.