[phkahler]

>> It is true that now your encryption key is now very long lived and effectively part of your public interface

No need to encrypt, just store the external key in a table. Not that you're likely to change algorithms.

[nhoughto]

True you could rotate by persisting the old value and complicate your lookup/join process, not my idea of an acceptable solution but yep totally possible and worth it for some set of tradeoffs.

[phkahler]

Late edit: I meant to say No need to encrypt on the fly. Do it once and save it.

[kevincox]

You are basically describing BuildKite's previous solution.