Status: OUT
AKS provides end-to-end secret protection at rest: customer-managed keys encrypt etcd storage via KMS encryption, backed by Key Vault where Microsoft cannot see or extract the encryption keys — ensuring the full chain from secret storage to key management is cryptographically secured.