Encryption at Rest
Also Known As
data at rest
TDE
column encryption
full-disk encryption
TL;DR
Encrypting stored data so that physical access to storage media does not expose plaintext — protecting against data theft from stolen drives, decommissioned hardware, and storage breaches.
Explanation
Encryption at rest operates at different layers: full-disk encryption (LUKS, BitLocker), filesystem encryption, database-level transparent data encryption (TDE), and application-level column encryption. Each layer protects against different threats. Full-disk encryption protects against physical drive theft but not against a running compromised server. Application-level encryption protects specific sensitive columns even if the database itself is compromised. Key management is the hard part — encrypted data is only as secure as its key storage.
Diagram
flowchart TD
DATA[Sensitive data] --> ENCRYPT{Encryption layer}
subgraph Options
DISK[Disk encryption<br/>LUKS FileVault<br/>transparent to app]
DB[DB column encryption<br/>app controls keys]
APP2[Application-level<br/>encrypt before storing]
end
ENCRYPT --> DISK & DB & APP2
subgraph Key_Management
KMS[KMS - Key Management Service<br/>AWS KMS HashiCorp Vault]
ROTATE[Key rotation<br/>without re-encrypting all data]
KMS --> ROTATE
end
style DISK fill:#1f6feb,color:#fff
style DB fill:#238636,color:#fff
style APP2 fill:#6e40c9,color:#fff
style KMS fill:#d29922,color:#fff
Common Misconception
✗ Database-level TDE is sufficient for all compliance requirements — TDE protects against disk theft, not against a compromised database user; column-level encryption is needed for sensitive fields.
Why It Matters
GDPR, PCI-DSS, and HIPAA all require encryption of sensitive data at rest — a breach of an unencrypted database exposes every stored record immediately.
Common Mistakes
- Storing encryption keys next to the encrypted data in the same database — a database breach exposes both.
- Using application-level encryption without key rotation — a compromised old key means all historical data is exposed.
- Not encrypting backups — encrypted primary storage with unencrypted backups negates the protection.
- Using the same key for all rows — individual key compromise exposes all data; consider per-row or per-user keys for sensitive fields.
Code Examples
✗ Vulnerable
-- Storing sensitive data unencrypted + key in same table:
CREATE TABLE user_payment_methods (
id INT PRIMARY KEY,
user_id INT,
card_number VARCHAR(16), -- Plaintext PAN — PCI violation
card_cvv VARCHAR(4), -- Should never be stored
encryption_key VARCHAR(64) -- Key next to data — defeats purpose
);
✓ Fixed
-- Application-level column encryption:
CREATE TABLE user_payment_methods (
id INT PRIMARY KEY,
user_id INT,
card_number_encrypted BYTEA NOT NULL, -- AES-256-GCM encrypted
card_number_last4 CHAR(4) NOT NULL, -- For display only
key_version INT NOT NULL -- Enables key rotation
);
-- Keys stored in HSM or secrets manager (Vault, AWS KMS)
-- Never in the same databaseTags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
30
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
Perplexity 7
Amazonbot 7
Unknown AI 2
Ahrefs 2
Google 2
SEMrush 2
Majestic 1
Also referenced
How they use it
crawler 22
crawler_json 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: High
⚡ Quick Fix
Use AES-256-GCM for application-level encryption; store keys in a secrets manager separate from the encrypted data; rotate keys annually
📦 Applies To
PHP 7.0+
web
cli
queue-worker
🔗 Prerequisites
🔍 Detection Hints
Sensitive data (SSN, card, health) stored in plaintext DB columns; encryption key in same DB as encrypted data
Auto-detectable:
✗ No
semgrep
trufflehog
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: High
Context: File
CWE-311
CWE-312