Sensitive configuration parameters are stored in the digitalmarketplace-credentials repository.
We use Mozilla SOPS to encrypt/decrypt secrets using Amazon KMS.
SOPS can create a file that stores your secrets in your chosen format along with some metadata about how the file should be decrypted.
Because Digital Marketplace encrypts its files with AWS KMS keys SOPS will attempt to retrieve the correct key from AWS KMS (using the stored profile of the user) and use it to decrypt the file.
For more about SOPS in general please read the official documentation because it is really informative and gives you a good overview.
For specific information about how SOPS is used on Digital Marketplace please consult the README in the credentials repository.