Safely/correctly adding consul encryption keys to an AWS auto scaling group

The nomad auto join example seemingly doesn’t follow the consul deployment guide - specifically adding encryption keys - to the nodes that run consul.

My first thought was cramming that token into the user data script but some quick googling suggests that’s not a best practice since it’s sensitive information. Are there any other suggestions for creating auto scaling groups that launch consul nodes and properly configure them to have a shared encryption key?