Once the file has already been received by the server, it can perform simple AES-CTR encryption for the data while its at-rest. No HMACs/KDFs/etc. needed. Key management will be a longer term discussion, as will the possibility of decrypting the data prior to using it for certain processing actions.
Realistically this can be transparent to the client, they probably don't even need a copy of the key.
I am considering this low-priority for now since the in-transit problem is already taken care of with TLS.
As an opt-in feature:
Once the file has already been received by the server, it can perform simple AES-CTR encryption for the data while its at-rest. No HMACs/KDFs/etc. needed. Key management will be a longer term discussion, as will the possibility of decrypting the data prior to using it for certain processing actions.
Realistically this can be transparent to the client, they probably don't even need a copy of the key.
I am considering this low-priority for now since the in-transit problem is already taken care of with TLS.