You could additionally use encryption at rest where the key is only ever on the client.