(no title)

a rogue employee who created a secret, or any engineer who had to access that secret to get their job done, is always going to be able to use that secret value, regardless of where the encrypted blob is stored.

seems like we should be making it easier to rotate secret values often and automatically.