oobmigrations: Extract encryption tasks
Created by: efritz
Cleanup encryption in the database and run background encryption as a worker task (not out-of-band migrations). Partial fix to #38050 (closed) and #38052 (closed).
This PR changes (roughly by commit):
- Adds a background task to the
workerservice that encrypts/decrypts values in the database - Adds a
ALLOW_DECRYPTIONflag that stops encrypted writes and flips the background task direction - Updates encryption documentation and adds a changelog note
- Removes four now redundant out-of-band migrations
Pre-work to this PR:
-
(#40050): Consolidates all encryption/decryption to the internal/encryptionpackage (newhelpers.gofile) -
(#40062): Adds a database utility that can encrypt records in batch
Test plan
Existing and new unit tests. End-to-end testing done by encrypting/decrypting values in a local instance.