Disk-level encryption (LUKS, AWS EBS encryption) protects against physical theft of the storage medium. It does NOTHING against a DBA who can log into the database, run SELECT, and read every user's email, phone number, and account number in clear text. For sensitive fields, PII, account numbers, card metadata, transaction descriptions that might contain identifying info, you need APPLICATION-LEVEL encryption with keys managed in a KMS the DBA doesn't have access to. The journal entries themselves can stay in clear (amounts and account codes aren't PII), but metadata fields with identifying info get encrypted at write and decrypted on read by the application. This lesson posts an entry with encrypted-at-rest metadata.