KMS providers (AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault) keep the master encryption key inside hardware that cannot export it. Applications send ciphertext for unwrap or wrap operations, the KMS does the work and returns the result. On Digitorn the KMS layer is pluggable: env-based for dev, AWS KMS for AWS deployments, the rest for everything else.
Engineering notes from the Digitorn team. No marketing, no launch announcements, no "10 prompts that will change your life". Just the things we write that we'd want to read.