Securing data with symmetric keys generated using inaccessible private keys

What is claimed is: 1. A computer-implemented method for securing client data using an application server, the method comprising: storing, by an application server, a key identifier received from a security server over a network connection, the application server being a separate server than the security server and the key identifier being associated with a private key, the private key being accessible by the security server and not accessible by the application server, the application server also being in communication with a plurality of client devices over a network; transmitting, from the application server to the security server, a request to derive a symmetric key, the request being received after the storing the key identifier, the request comprising a public key generated by the application server, a salt value, and the key identifier; receiving, by the application server, the symmetric key from the security server, the symmetric key being derived based on the transmitted public key and the private key associated with the key identifier using a key derivation function, the symmetric key being stored in an in-memory cache of the application server; and encrypting, by the application server, data received from one of the plurality of client devices using the symmetric key, the encrypted data being stored on persistent storage in communication with the application server. 2. The method of claim 1 , wherein both the public key and the private key associated with the key identifier correspond to different points on an elliptic curve. 3. The method of claim 1 , wherein the public key and the private key associated with the key identifier are components of a Diffie-Hellman key exchange. 4. The method of claim 1 , further comprising: transmitting, by the application server, a request to rotate the symmetric key, the request to rotate comprising a different public key, a different salt, and a different key identifier associated with a different private key accessible by the private server; receiving, by the application server, a different symmetric key from the security server in response to the request to rotate, the different symmetric being derived based on the different public key and the different private key using the key derivation function, the different symmetric key being linked to the symmetric key and further being stored in an in-memory cache of the application server; and encrypting, by the application server, data from one of the plurality of client devices using the different symmetric key. 5. The method of claim 4 , further comprising, in response to the receiving the different symmetric key, deleting the symmetric key from a list of symmetric keys, the list of symmetric keys being associated with the application server. 6. The method of claim 4 , further comprising maintaining a data structure that lists symmetric keys used by the application server, the table comprising, for each row, a public key used for each symmetric key, a salt used for each symmetric key, and a key identifier used for each symmetric key. 7. The method of claim 1 , wherein the private key is retrieved from a key management service in communication with the security server, the key management service storing a plurality of private keys accessible by the security server. 8. The method of claim 1 , wherein the key derivation function applies a cryptographic hash function to a key agreement key and the salt value, the key agreement key being generated using a key agreement protocol applied to the public key and the private key associated with the key identifier. 9. An apparatus for securing client data comprising: one or more processors of an application server; and a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to: store a key identifier received from a security server over a network connection, the application server being a separate server than the security server and the key identifier being associated with a private key, the private key being accessible by the security server and not accessible by the application server, the application server also being in communication with a plurality of client devices over a network; transmit, to the security server, a request to derive a symmetric key, the request being received after the storing the key identifier, the request comprising a public key generated by the application server, a salt value, and the key identifier; receive the symmetric key from the security server over the network connection, the symmetric key being derived based on the transmitted public key and the private key associated with the key identifier using a key derivation function, the symmetric key being stored in an in-memory cache of the application server; and encrypt data from one of the plurality of client devices using the symmetric key, the encrypted data being stored on persistent storage in communication with the application server. 10. The apparatus of claim 9 , wherein both the public key and the private key associated with the key identifier correspond to different points on an elliptic curve. 11. The apparatus of claim 9 , wherein the public key and the private key associated with the key identifier are components of a Diffie-Hellman key exchange. 12. The apparatus of claim 9 , wherein the plurality of instructions, when executed, further cause the one or more processors to: transmitting, by the application server, a request to rotate the symmetric key, the request to rotate comprising a different public key, a different salt, and a different key identifier associated with a different private key accessible by the private server; receiving, by the application server, a different symmetric key from the security server in response to the request to rotate, the different symmetric key being derived based on the different public key and the different private key using the key derivation function, the different symmetric key being linked to the symmetric key and further being stored in an in-memory cache of the application server; and encrypting, by the application server, data from one of the plurality of client devices using the different symmetric key. 13. The apparatus of claim 9 , wherein the plurality of instructions, when executed, further cause the one or more processors to: delete the symmetric key from a list of symmetric keys, the list of symmetric keys being associated with the application server, in response to receiving the different symmetric key. 14. The apparatus of claim 9 , wherein the plurality of instructions, when executed, further cause the one or more processors to: maintain a data structure that lists symmetric keys used by the application server, the table comprising, for each row, a public key used for each symmetric key, a salt used for each symmetric key, and a key identifier used for each symmetric key. 15. The apparatus of claim 9 , wherein the private key is retrieved from a key management service in communication with the security server, the key management service storing a plurality of private keys accessible by the security server. 16. The apparatus of claim 9 , wherein the key derivation function applies a cryptographic hash function to a key agreement key and the salt value, the key agreement key being generated using a key agreement protocol applied to the public key and the private key associated with the key identifier. 17. A computer program product comprising computer-readable program code to be executed by one or more processo