Encryption at Rest
The practice of encrypting stored data so it remains unreadable without the appropriate decryption key, even if the storage medium is compromised.
Description
Encryption at rest protects stored data from unauthorized access by transforming it into ciphertext that is unreadable without the corresponding decryption key. This safeguards data on disk, in databases, in object storage, in backups, and on removable media against threats like physical theft, unauthorized disk access, and improper decommissioning of hardware. Even if an attacker gains access to the raw storage, the data remains protected.
There are multiple levels of encryption at rest: full-disk encryption (FDE) using solutions like LUKS or BitLocker; filesystem-level encryption like eCryptfs or fscrypt; database-level encryption such as Transparent Data Encryption (TDE) in PostgreSQL, MySQL, or SQL Server; and application-level encryption where the application encrypts specific fields before storing them. Each level provides different trade-offs between granularity, performance, and key management complexity.
Application-level encryption (also called field-level encryption) provides the strongest protection because data remains encrypted even from database administrators and is only decrypted by the application when needed. This is essential for highly sensitive data like PII, payment information, and health records. Cloud providers offer managed encryption (AWS KMS, Google Cloud KMS, Azure Key Vault) that simplifies key management while providing hardware security module (HSM) backing for key storage.
Prompt Snippet
Enable Transparent Data Encryption (TDE) on your database (RDS encryption, PostgreSQL pgcrypto, or MongoDB encrypted storage engine) as a baseline. For sensitive fields (PII, payment data), implement application-level encryption using AES-256-GCM via the Node.js crypto module or libsodium before writing to the database, storing the IV alongside the ciphertext. Manage encryption keys through AWS KMS or HashiCorp Vault with automatic key rotation every 365 days. Encrypt all backups and ensure S3 buckets use SSE-KMS with bucket policies that deny unencrypted PutObject requests.
Tags
Related Terms
Encryption in Transit (TLS)
Encrypting data as it moves between systems using TLS to prevent eavesdropping, tampering, and man-in-the-middle attacks.
Cryptographic Key Management
The practices and systems for generating, storing, distributing, rotating, and retiring cryptographic keys throughout their lifecycle.
Secrets Management
The practice of securely storing, accessing, rotating, and auditing sensitive credentials like API keys, tokens, and passwords.