What's the threat model. Where do you store the decryption key?
E.g. if my app needs a db connection I can ask a vault service but I need creds for that. The vault service can rotate the creds very fast but is it addition security.
What's the threat model. Where do you store the decryption key?
E.g. if my app needs a db connection I can ask a vault service but I need creds for that. The vault service can rotate the creds very fast but is it addition security.
The treat model is that your container gets owned.
The password should only exist in the process memory for the few lines of code to open that database connection, and then wiped after you got the handle.
Ideally, homomorphic encryption should be used instead.
https://en.wikipedia.org/wiki/Homomorphic_encryption