User Story
As a Security Architect or Bitbucket Administrator, I want to store and manage the master AES encryption keys in an external Key Management Service (KMS) or Vault (e.g., AWS Secrets Manager, HashiCorp Vault) rather than the local filesystem, so that our organization meets strict security and compliance standards for secret management.

Current Behavior
Currently, Bitbucket Data Center's "Secured secrets by default" feature stores the master AES encryption keys in the $BITBUCKET_SHARED_HOME/keys directory. While these files are protected by standard filesystem permissions (readable only by the Bitbucket process owner), they still reside on the application's storage.

Requested Change
Provide a supported configuration to:

• Offload the master AES encryption key to an external provider (AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault).

• Allow Bitbucket to fetch or use these keys via an API/Integration rather than reading a local file.

• Support rotation of these keys through the external provider's native mechanisms.

Why this is important
Many enterprise and high-compliance organizations have "zero-secret-on-disk" policies. Storing keys on the filesystem—even with restricted permissions—is flagged as a vulnerability by security audits if an unauthorized party gains access to the server's storage layer. Centralizing these keys in a dedicated vault provides better audit trails, hardware-level security (HSM), and centralized rotation policies.