chore: database encryption at rest and in backups

[shaoster]

Summary

Track database encryption coverage across two surfaces:

1. Encryption at rest — the Postgres volume on the k3s node is not encrypted at the OS/volume level.
2. Encryption in transit/backup — backups are GPG-symmetric-encrypted before upload to B2 (implemented in chore: automated daily database backups to off-site encrypted storage #581), but the live database volume is not protected if the node storage is physically compromised.

Why Not Yet

Our current risk model, consistent with the PotterDoc privacy policy, is:

The risk of losing the encryption key or key infrastructure failing — and thereby permanently destroying all user data — is materially higher than the risk of the database falling into the wrong hands.

For a small-scale pottery tracking app with no financial or health data, the confidentiality exposure is low. The availability risk from a botched key rotation or lost passphrase is high and has no recovery path. Until key management infrastructure (e.g. a secrets manager with KMS-backed keys, automated rotation, and break-glass recovery) is in place, introducing encryption at rest adds more risk than it removes.

This issue exists to capture the gap explicitly rather than leave it undocumented.

Blocker

#575 — Secret rotation process and KMS integration must be resolved first. That issue now includes a KMS evaluation section. The minimum bar is automated key rotation with a documented break-glass recovery path that does not require re-encrypting all data.

When to Revisit

Promote this off wontfix when:

• Ops: Establish secret rotation process #575 is resolved with a KMS or equivalent key management story.
• The user base grows to a scale where confidentiality risk justifies operational complexity.
• Compliance or legal requirements change.

Related Issues

• Ops: Establish secret rotation process #575 — secret rotation process and KMS infrastructure (blocker)
• feat: automated database backup story #531 — original automated backup story
• chore: automated daily database backups to off-site encrypted storage #581 — implemented encrypted daily backups to Backblaze B2 (GPG symmetric)
• Execute Helm/k3s migration checklist #547 — Helm/k3s migration checklist (production infra baseline)