Currently, the encryption-key secrets are kept around for the whole cluster life the operators don't clean them up intentionally to make sure that customers can always access their cluster historical data.

This is a common pain point for the customers (https://issues.redhat.com/browse/OCPBUGS-35737) and our recommendation is for them to backup the encryption config alongside etcd and then delete the keys manually by following: https://access.redhat.com/solutions/7039646

To improve that, we should add an option that would allow customers to set a TTL to the secrets so that their cluster isn't impact by having a huge amount of secrets lingering around.