in reply to Customer data encryption

I just have time for a quick note/correction.

Output is encrypted using this key with a fast symmetric method i.e. Crypt::CBC(?)

Most ciphers encrypt small, fix-sized blocks. (Usually blocks of exactly 8 or 16 bytes.) Crypt::CBC provides padding (for when the length isn't a multiple of the required block size) and chaining (for when there is more than one block of data).

Crypt::CBC adds two measures of security. Each block is encrypted with a different key, and salt is added (causing a plaintext to result in a different cyphertext every time it's encrypted).

In short, Crypt::CBC converts a block cipher (AES, Blowfish, etc) into a stream cipher in a safe fashion. Crypt::CBC is *not* a cipher itself. It only provides the previously mentioned features. Modules such as Crypt::Rijndael (aka AES), Crypt::Blowfish and Crypt::Twofish provide the actual encryption.

Block ciphers (such as Crypt::Rijndael, Crypt::Blowfish, Crypt::Twofish) should not be used directly. They should be used through Crypt::CBC.