@Sir_Boops .onion is pretty good, it's a *huge* step in the right direction

but...

it's an incomplete answer in its own. It doesn't provide a solution for key rotation (including migrating your stuff to a new .onion)

Also, content addressed storage can help a lot. It doesn't have to be cleartext CAS; look at tahoe-lafs for an example of symmetrically encrypted stored objects