EthSigner with HashiCorp Does Private Key Leave Vault when Sign Transaction

Hi All,
I have a question. I cannot find a Clear answer.
Using EthSigner with HashiCorp Vault, when we need to sign an Ethereum transaction, does the private key leave the Vault and goes to EthSigner to do the signature (or the signature occurs outside the vault) ? Or does the signature occurs inside the vault and return the result to EthSigner (the private key never leave the vault and stay safe)?
Thank you in advance for your kind help.

EthSigner integrates with Vault by first extracting the private key into memory and then using that constructed wallet internally to sign transactions.
This is a major drawback because ideally the private key should never leave the vault . In the case of Azure Key Vault, the signing happened internal to Key Vault and we never expose or extract the stored key.