Low-value secrets are OK with low-effort key management.
If you are using UUIDv7 already, and just want to hide the timestamp part, you don't need HSM or key rotation. Make up a key, hardcode it into source code (or into your terraform files), and use it with AES/Blowfish. This will not stop nation-state APT attackers, but will provide immediate protection from random person on the internet. Just make sure that this is not a _sole_ method to protect user identity.
And the most important part: to guard against overenthusiastic security folks, _never_ call this "encryption", but always "obfuscation", especially in the source code. Seeing "EncryptCustomerID" triggers hard questions about key management, and could be pretty dangerous ("We encrypt customer ID, I saw it in the source code.. which means we don't need a password"). On the other hand, "ObfuscateCustomerID" makes the intent much clearer.
theamk•28m ago
If you are using UUIDv7 already, and just want to hide the timestamp part, you don't need HSM or key rotation. Make up a key, hardcode it into source code (or into your terraform files), and use it with AES/Blowfish. This will not stop nation-state APT attackers, but will provide immediate protection from random person on the internet. Just make sure that this is not a _sole_ method to protect user identity.
And the most important part: to guard against overenthusiastic security folks, _never_ call this "encryption", but always "obfuscation", especially in the source code. Seeing "EncryptCustomerID" triggers hard questions about key management, and could be pretty dangerous ("We encrypt customer ID, I saw it in the source code.. which means we don't need a password"). On the other hand, "ObfuscateCustomerID" makes the intent much clearer.