Yeah I just learned the role-based access approach last year. No keys ever hit the box so there's nothing for attackers to exfiltrate.