Encryption at Rest
Definition
Protecting stored data by encrypting it while it sits on storage devices. Like keeping sensitive documents in a locked safe when they're not being used.
Use Cases
- Dropbox: Protecting files stored on servers so that stored customer content remains unreadable without authorized access. — Uses encryption for stored data and manages encryption keys with strict access controls; encryption is applied to data stored in their infrastructure to reduce exposure if storage media is accessed without authorization. (Reduces risk from lost or stolen storage media and supports customer trust and security expectations for stored files.)
- Netflix: Protecting sensitive operational data (for example, configuration data and service metadata) stored in cloud data stores. — Uses AWS encryption capabilities for data stores and integrates with AWS KMS for centralized key management and access control to encryption keys. (Improves security posture for stored data and supports compliance and internal security requirements through controlled key access and auditing.)
- Adobe: Protecting customer content and account-related data stored in cloud services. — Uses encryption at rest across storage systems and applies centralized key management practices (including access controls and rotation) to protect encryption keys. (Helps meet enterprise customer security requirements and reduces the impact of unauthorized access to stored data.)
Provider Equivalents
- AWS: AWS Key Management Service (KMS)
- Azure: Azure Key Vault
- GCP: Cloud Key Management Service (Cloud KMS)
- OCI: OCI Vault
Frequently Asked Questions
- What's the difference between encryption at rest and encryption in transit?
- Encryption at rest protects data while it is stored on disks, SSDs, backups, or database files. Encryption in transit protects data while it moves across networks (for example, using TLS/HTTPS). Most secure systems use both: at rest for stored data exposure risks, and in transit for eavesdropping or man-in-the-middle risks.
- When should I use encryption at rest?
- Use it whenever you store sensitive or regulated data (PII, PHI, financial data, credentials, API keys) or when you need stronger protection against risks like stolen disks, unauthorized snapshots/backups, or misconfigured access. In practice, many organizations enable encryption at rest by default for databases, object storage, block storage volumes, and backups, then add customer-managed keys and tighter policies for higher-risk datasets.
- How much does encryption at rest cost?
- Costs depend on (1) whether encryption is included in the storage/database service price, (2) whether you use provider-managed keys or customer-managed keys, and (3) key-management usage such as API calls, key versions, and HSM-backed keys. Many cloud services include at-rest encryption with provider-managed keys at no extra charge, while using KMS/Key Vault/Cloud KMS/OCI Vault with customer-managed keys can add charges for key storage, cryptographic operations, and (optionally) dedicated HSM tiers. There can also be small performance overhead depending on the service and workload.
Category: security
Difficulty: intermediate
Related Terms
See Also