Problem
I need to store encrypted data in a Postgres column.
I know of pgcrypto, however I haven't used it before and don't have a lot of time to research and understand it (which I'd like to, given the data I will be storing in the column).
However, I do have a fairly solid and practical understanding of AWS KMS.
My immediate path of least resistance is to handle the encryption at the application level.
Proposed Solution
- Encrypt the plain text data using the KMS SDK.
- Save the encrypted data into the column via the ORM.
- Retrieve the encrypted data from the database via the ORM.
- Decrypt the encrypted data using the KMS SDK.
The key would be secured in KWS using EC2 IAM roles.
Good to know:
- This particular table is not queried often, so performance is not my biggest concern in this instance.
- My needs are more particular than simply using Encryption at Rest with RDS.
Question:
- Are there any potential flaws in handling the encryption of database data in this manner?
