We just had an interesting data loss at work, that was due to data being encrypted at rest. We somehow managed to delete the encryption keys (still figuring out how), which became an obvious problem once our main database instance was rebooted.
Luckily we were able to restore the data, but now I (we) really want to learn what a proper setup would look like.
If you have any clear overview reading on the topic I'd be very interested to to know about it.
In particular I'm wondering: how do you back up your encryption keys, or even put them in escrow somewhere? Assuming we don't rotate the keys constantly I would love to just save them in somewhing like a passsword manager that's secured with 2FA/FIDO.
Would love to hear your thoughts!