Riser Secrets is built on Bitnami Sealed Secrets, a project which takes advantage of Public Key Infrastructure to provide a mechanism that allows for the secure management of sensitive values within a GitOps environment.
The Riser Controller watches the public key on each cluster and keeps the Riser Server up-to-date. Riser never needs access to the private keys. Riser only has access to the plaintext secret in memory for the brief moment of time that is necessary to encrypt the secret with the public key. Private keys, including rotation and archival, are managed by the Sealed Secrets controller. See the Sealed Secrets documentation for more details. There is work in progress to support AWS KMS as well as a general plug-in architecture for other key management solutions in the future.