Regarding Orion: The concept docs contain the following example for RemoteFileSystem:

fs = RemoteFileSystem(basepath="<s3://my-bucket/folder/>")

fs.write_path("foo", b"hello")

fs.save("dev-s3")

What das fs.write_path do? Store actual content on the fs? Also, is the secret key stored in the prefect database if you pass them to the settings parameter of RemoteFileSystem and then call fs.save? If so, how is ensured only I can read it and not e.g. a admin at prefect?

to see how files are stored, run:

aws s3 ls <s3://your-bucket/yourpath/>

they are stored as text files with the deployment ID as name

do I understand blocks correctly in that they are encrypted, but if running on prefect cloud the encryption key could theoretically be extracted by you because it is stored on your servers?

Prefect is SOC-2 compliant, certifying that we handle your data with the greatest care and use it only for the purpose that's strictly necessary - does it help? if you have even stricter security requirements, I recommend talking to sales@prefect.io to discuss dedicated hosts

If this is a concern, you can run your prefect agent and jobs in an environment where they have access to the necessary permissions by using an IAM role rather than by using access keys. For example, I am running on EKS and assign a service account to my jobs, which is linked to an IAM role with the specific permissions. This way, no long-lived credentials need be created or used.