we need to make sure that our backups are also encrypted. This also means that we need to know which keys are needed to handle which version of data, especially if the keys change. Having clear key management becomes fairly important.
Good point re: key management so you know which key to use to decrypt backups. Probably don't want to decrypt/reencrypt all past backups when you rotate keys (though I guess technically that might be more secure assuming the reencrypt step is very safe?)
