Encryption at Rest

Encryption at rest primarily uses symmetric encryption algorithms like AES-256 for bulk data encryption due to their speed. The symmetric data encryption key (DEK) is itself encrypted by a key encryption key (KEK) using asymmetric encryption (e.g., RSA) for secure key management. This two-tiered system separates data protection from key access control.

• Symmetric (AES): Fast, used for encrypting the actual data.
• Asymmetric (RSA/ECC): Used to encrypt and protect the symmetric DEK.
• Envelope Encryption: The standard pattern where a KEK encrypts a DEK, and the DEK encrypts the data.

A Key Management Service (KMS) is the centralized, hardened system responsible for generating, storing, rotating, and auditing cryptographic keys. It is the root of trust for encryption at rest. Cloud providers offer managed KMS (e.g., AWS KMS, Google Cloud KMS, Azure Key Vault), which abstracts the underlying hardware security modules (HSMs).

• Centralized Policy Enforcement: Defines who and what can access keys.
• Automatic Key Rotation: Periodically generates new keys to limit cryptographic exposure.
• Audit Trail: Logs every key usage event for compliance (e.g., SOC 2, HIPAA).
• HSM Backing: Keys are often generated and stored within FIPS 140-2 validated HSMs.

Encryption can be applied at different layers of the stack, each with distinct trade-offs.

Application-Level Encryption:

• Data is encrypted by the application before it is written to storage.
• Provides the highest security as data is never plaintext outside the app.
• The storage system (e.g., database, object store) only sees ciphertext.
• Developer must manage encryption/decryption logic and key access.

Storage-Level Encryption:

• Provided transparently by the storage system (e.g., database, filesystem, block storage).
• Simpler for developers; the system handles encryption/decryption automatically.
• Data may be briefly plaintext in memory or during internal processing within the storage service boundary.

These are key management models that give enterprises greater control over their cryptographic material.

• Bring Your Own Key (BYOK): The customer generates a key in their own HSM and imports it into the cloud provider's KMS. The provider manages the imported key's lifecycle for use with their services. The customer retains the ability to revoke the key.
• Hold Your Own Key (HYOK) / Customer-Managed Keys: A more stringent model where the key never leaves the customer's controlled HSM. The cloud service sends data to be encrypted/decrypted by the customer's external key management system. This is used for maximum regulatory compliance and data sovereignty, as the cloud provider never has access to the plaintext key.

Properly implemented encryption at rest has minimal performance overhead, but architectural choices matter.

• Algorithm Choice: AES-NI CPU instructions make AES-GCM encryption/decryption extremely fast (often <5% overhead).
• Key Caching: Applications should cache DEKs in memory (for the duration of a session) to avoid repeated calls to the KMS, which introduce latency.
• Data Chunking: Large files (e.g., videos in multimodal storage) are encrypted in chunks, allowing parallel processing and random access.
• Metadata Protection: Encrypting data but leaving file names, object metadata, or database column names in plaintext can leak information. Consider additional techniques like format-preserving encryption (FPE) for sensitive metadata fields.

Encryption at rest is one pillar of a comprehensive data security strategy and works in concert with other controls.

• Encryption in Transit: Protects data moving between systems (using TLS). Both are required for defense-in-depth.
• Tokenization: Replaces sensitive data with a non-sensitive equivalent (token) that has no mathematical relation to the original data. Used for specific fields like credit card numbers.
• Data Masking: Obscures specific data within a dataset (e.g., showing only the last four digits of a SSN). Used for non-production environments.
• Immutable Storage: Prevents encrypted backups from being deleted or altered, protecting against ransomware that seeks to encrypt or destroy data at rest.

Encryption in transit is the cryptographic protection of data while it is moving between systems over a network. It secures the communication channel, preventing interception or tampering. This is distinct from, and complementary to, encryption at rest.

• Key Protocols: TLS (Transport Layer Security) and its predecessor SSL are the standard protocols.
• Purpose: Ensures data confidentiality and integrity during transfer between clients, servers, and storage systems.
• Relationship to At-Rest: Data is typically decrypted upon receipt before being re-encrypted for storage, meaning both states require separate cryptographic controls.

A Key Management Service (KMS) is a centralized, often cloud-based, service for creating, storing, rotating, and controlling access to cryptographic keys used for encryption. It is the critical control point for encryption at rest.

• Core Function: Generates and manages the Data Encryption Keys (DEKs) that encrypt the actual data and the Key Encryption Keys (KEKs) that encrypt the DEKs.
• Security Model: KEKs never leave the HSM-backed security boundary of the KMS. DEKs are encrypted by the KMS before being stored alongside the data.
• Enterprise Feature: Provides audit logging for all key usage and enables centralized policy enforcement and key rotation.

Bring Your Own Key (BYOK) is a key management model where an organization generates and manages its own root cryptographic keys in a hardware security module (HSM) it controls, then imports them into a cloud provider's KMS. This provides enhanced control and compliance.

• Control vs. Convenience: Shifts ultimate key authority from the cloud provider to the customer, addressing strict regulatory requirements.
• Process: The customer-generated key is exported in encrypted form from their HSM and imported into the cloud KMS, where it becomes the Customer Master Key (CMK).
• Use Case: Essential for financial services, healthcare, and government workloads where data sovereignty and separation of duties are mandated.

A Hardware Security Module (HSM) is a dedicated, tamper-resistant physical computing device that safeguards and manages digital keys, performs encryption/decryption, and provides strong authentication. It is the gold standard for key storage.

• FIPS 140-2/3: HSMs are often validated to these U.S. government security standards, certifying their physical and logical defenses.
• Role in Encryption: HSMs generate and store the most sensitive Key Encryption Keys (KEKs). They perform all cryptographic operations involving these keys internally, so the keys are never exposed in system memory.
• Deployment Models: Available as on-premises appliances, cloud-based dedicated services (e.g., AWS CloudHSM, Google Cloud HSM), or integrated into KMS offerings.

Transparent Data Encryption (TDE) is a specific implementation of encryption at rest offered by database management systems (e.g., SQL Server, Oracle, PostgreSQL) that encrypts the underlying database files, including data and log files, without requiring changes to the application.

• Transparency: The encryption/decryption happens at the storage layer. The database engine handles it automatically, making it 'transparent' to applications querying the data.
• Scope: Protects data 'on disk' from being read via file system access or if physical media is stolen. Data in memory is unencrypted.
• Limitation: While it secures storage, it does not protect data in transit or manage granular, column-level access controls within the database.

Client-side encryption is a security model where data is encrypted on the client's system before it is transmitted to and stored on a server or cloud service. The service provider never has access to the unencrypted data or the keys.

• Maximum Security: Provides zero-trust or confidential computing assurance, as the cloud storage provider cannot read the data.
• Key Responsibility: The client application is entirely responsible for key generation, management, and the encryption/decryption lifecycle.
• Implementation: Often used with object storage (e.g., Amazon S3) where the SDK performs encryption before the PUT request and decryption after the GET response.