From having worked in UK FS in the past this reminds me of a more modern version of how PKI key signing ceremonies used to happen :)
It's an interesting contrast with how carefully root CA keys are handled in this kind of setup, compared to things like Kubernetes clusters, where you'll typically get 3+ root CA keys in the clear on the API server disks, and I've seen them committed to configmaps (e.g. in RKEs default setup), and even checked into GH repo's...
For the case of RKE, which I mentioned, I think they do it to have the cluster config available, but no idea why they use a configmap rather than a secret (https://github.com/rancher/rke/issues/1024 is the relevant issue)
It's an interesting contrast with how carefully root CA keys are handled in this kind of setup, compared to things like Kubernetes clusters, where you'll typically get 3+ root CA keys in the clear on the API server disks, and I've seen them committed to configmaps (e.g. in RKEs default setup), and even checked into GH repo's...