Do Not Encrypt IDs
notnotp.comLow-value secrets are OK with low-effort key management.
If you are using UUIDv7 already, and just want to hide the timestamp part, you don't need HSM or key rotation. Make up a key, hardcode it into source code (or into your terraform files), and use it with AES/Blowfish. This will not stop nation-state APT attackers, but will provide immediate protection from random person on the internet. Just make sure that this is not a _sole_ method to protect user identity.
And the most important part: to guard against overenthusiastic security folks, _never_ call this "encryption", but always "obfuscation", especially in the source code. Seeing "EncryptCustomerID" triggers hard questions about key management, and could be pretty dangerous ("We encrypt customer ID, I saw it in the source code.. which means we don't need a password"). On the other hand, "ObfuscateCustomerID" makes the intent much clearer.