How are my user entered config values secured at rest?

I am concerned about sensitive configuration values such as TLS certs, or service tokens on the filesystem at rest. How are these secured?

These config values are encrypted with a unique key per install.