See #390 for all the details.
Important
Salt 3008.0 changes how master keys are loaded: the new localfs_key backend rejects symlinked key files.
Because of that, master keys provided through secrets are now copied into /home/salt/data/keys as regular files instead of being symlinked from /run/secrets.
If you provide master keys via secrets and also bind-mount the full keys volume, the master private key will be copied onto that persisted volume. To keep the private key off persistent storage, avoid mounting the whole /home/salt/data/keys directory and mount only the minion key subdirectories you need to persist, usually /home/salt/data/keys/minions.
Existing legacy symlinked master keys are replaced automatically with copies of the provided secret. Existing regular master key files are not overwritten; if they do not match the provided secret, the on-disk key wins and a warning is logged.