Why not about encrypt at database level, Mariadb provide free onboard plugin to encrypt entire database or selected tables.
Using encryption has an overhead of roughly 3-5% .
Easy to config and the posibility to encrypt only tables with sensitive data.
Where is the decryption info kept? If the scripts can access the data then anyone who gains access to the hosting/scripts will then have access to the data. I see this as only beneficial were someone to gain access to just the database and nothing else.
Key file keeps store in root server location “/etc/mysql/” with root permissions, is a plain text but it can be encrypted as well and original plain text can be safely remove later.
Entire database or selected tables can be encrypted, so, if someone stole the database or someone else with read permissions try to acces the data, it will be protected-encrypted the table, so not readable text will be stole. Only with the propper key and propper user permissions can be accessed.
And for extra security Data-in-Transit Encryption with TLS can be activated.
But what about if someone got into the hosting at root level? They would then get access to the key which would enable them to decrypt the data. My suggestion includes the login password as part of the encryption/decryption process meaning that even getting into everything, without a password the decryption keys will be useless.
In my tiny uderstand, if that occurr, that will be a security concern in server level, I mean, the server should be first secure with basic initial server set up, no root user, only ssh-key with new user with admin provilege, firewall with rules to not allow access from any IP using the port 22, even change that port to another. If exist a team each one should have to have a user with propper permission, and at database level activate Audit Plugin (MariaDB), with this will be able to track every action for every user created at server level when manipulate the database.