We have a cloud-based application running on AWS servers and are looking for a way to store highly sensitive user data there without giving AWS the possibility of exposing our data to the US government (cloud act). Therefore, we don't want to use AWS-owned services for encryption / decryption like KMS or HSM. We want to stay in full control of the keys that encrypt / decrypt data - all the time.
So we need to encrypt every form input that is sent to the server before it reaches the server as well as decrypt the encrypted data coming from the server in the browser of the user using our app. We are talking about form inputs plus PDFs and image files that will be uploaded. To make it more complex, we also want to be able to "communicate" within the application with each other in a slack style channel system. All entries there (and uploads) need to be encrypted as well before it reaches the US server.
We discussed the public key exchange like PGP using session based tokens and key derivation methods where the master key is stored on our own server.
Do you have any interesting hints or thoughts on this? How would you encrypt / decrypt highly sensitive data of apps living on US clouds? How would you fight the performance problem here?
Thanks for helping out!