Encryption at Rest

Encryption at rest protects stored data when disks, backups, snapshots, exports, or storage services are exposed outside the normal application path.

It is not a complete security model. If the application can legitimately decrypt and return the data, an attacker who compromises that path can still see plaintext. The control is about making stored bytes unreadable without authorized key access.

This chapter covers how to protect stored data without ignoring the operational limits of encryption.