Encryption at Rest

Definition

Protecting stored data by encrypting it while it sits on storage devices. Like keeping sensitive documents in a locked safe when they're not being used.

Use Cases

Provider Equivalents

Frequently Asked Questions

What's the difference between encryption at rest and encryption in transit?
Encryption at rest protects data while it is stored on disks, SSDs, backups, or database files. Encryption in transit protects data while it moves across networks (for example, using TLS/HTTPS). Most secure systems use both: at rest for stored data exposure risks, and in transit for eavesdropping or man-in-the-middle risks.
When should I use encryption at rest?
Use it whenever you store sensitive or regulated data (PII, PHI, financial data, credentials, API keys) or when you need stronger protection against risks like stolen disks, unauthorized snapshots/backups, or misconfigured access. In practice, many organizations enable encryption at rest by default for databases, object storage, block storage volumes, and backups, then add customer-managed keys and tighter policies for higher-risk datasets.
How much does encryption at rest cost?
Costs depend on (1) whether encryption is included in the storage/database service price, (2) whether you use provider-managed keys or customer-managed keys, and (3) key-management usage such as API calls, key versions, and HSM-backed keys. Many cloud services include at-rest encryption with provider-managed keys at no extra charge, while using KMS/Key Vault/Cloud KMS/OCI Vault with customer-managed keys can add charges for key storage, cryptographic operations, and (optionally) dedicated HSM tiers. There can also be small performance overhead depending on the service and workload.

Category: security

Difficulty: intermediate

Related Terms

See Also