It's actually more complex than that. One of the things that really gets in the way of encrypted storage, when you think about it, is the reality that key management involves tradeoffs too. For example, we could divide things up that you could get the encryption key only on a separate system and so only a public key and the public key encrypted symmetric key are stored. In this model you only get either symmetric key-encrypted data, or the public key-encrypted symmetric key.
The problem though is that someone still has to have the right to rotate keys and this process can be attacked too. For example, one could rotate keys to a known value thus giving the attacker access to the plain text. Worse, the person who can rotate the keys has to have the right to access both old and new keys in an unencrypted state.
Now, given that reality, it isn't clear to me that the fact that someone could set up the database to log all queries, and allowing passphrases for encryption to be passed in in the query poses a real added danger.
Another option is just not to allow key rotation but that allows for attacks on the key itself. You can get aroudn this by having a different key for each piece of data and thus limit the utility of cracking each piece.
However if you go that route, then you have two computers to secure instead of one, and it is vulnerable to more types of attacks than before since you are now trusting the client.....
The problem though is that someone still has to have the right to rotate keys and this process can be attacked too. For example, one could rotate keys to a known value thus giving the attacker access to the plain text. Worse, the person who can rotate the keys has to have the right to access both old and new keys in an unencrypted state.
Now, given that reality, it isn't clear to me that the fact that someone could set up the database to log all queries, and allowing passphrases for encryption to be passed in in the query poses a real added danger.
Another option is just not to allow key rotation but that allows for attacks on the key itself. You can get aroudn this by having a different key for each piece of data and thus limit the utility of cracking each piece.
However if you go that route, then you have two computers to secure instead of one, and it is vulnerable to more types of attacks than before since you are now trusting the client.....