Add secrets.keys_dir config option

docs/reference/configuration.md

@@ -222,7 +222,7 @@ The secret is not updated when the content of the file changes.
 > Changing the encryption secret afterwards will lead to a loss of all encrypted
 > information in the database.
 
-### `secrets.keys`
+### Singing Keys
 
 The service can use a number of key types for signing.
 The following key types are supported:
@@ -232,15 +232,26 @@ The following key types are supported:
 - ECDSA with the P-384 (`secp384r1`) curve
 - ECDSA with the K-256 (`secp256k1`) curve
 
-Each entry in the list corresponds to one signing key used by MAS.
-The key can either be specified inline (with the `key` property),
-or loaded from a file (with the `key_file` property).
 The following key formats are supported:
 
 - PKCS#1 PEM or DER-encoded RSA private key
 - PKCS#8 PEM or DER-encoded RSA or ECDSA private key, encrypted or not
 - SEC1 PEM or DER-encoded ECDSA private key
 
+The keys can be given as a directory path via `secrets.keys_dir`
+or, alternatively, as an inline configuration list via `secrets.keys`.
+
+#### `secrets.keys_dir`
+
+Path to the directory containing MAS signing key files.
+Only keys that don’t require a password are supported.
+
+#### `secrets.keys`
+
+Each entry in the list corresponds to one signing key used by MAS.
+The key can either be specified inline (with the `key` property),
+or loaded from a file (with the `key_file` property).
+
 A [JWK Key ID] is automatically derived from each key.
 To override this default, set `kid` to a custom value.
 The `kid` can be any case-sensitive string value as long as it is unique to this list;