[eadmund]

> You encrypt the data before it’s stored with a unique key, then destroy the key when the user requests it.

That makes selects & joins on the data quite a bit more complex. Per-record & per-subject keys are … tricky.