Encryption Layers
Full Disk Encryption Full Disk Encryption (FDE) encrypts entire storage devices, protecting all data on physical media. FDE operates transparently to applications and operating systems, requiring no application changes. FDE protects against physical device theft and improper disposal but provides limited protection against attacks on running systems. Once systems boot and decrypt volumes, FDE provides no additional protection. BitLocker (Windows), FileVault (macOS), and dm-crypt/LUKS (Linux) provide operating system-level FDE. Cloud providers offer encrypted volumes with provider-managed or customer-managed keys. Filesystem and Volume Encryption Filesystem and volume encryption provides per-volume encryption keys, enabling different encryption keys for different volumes on the same host. Per-volume keys are useful for multi-tenant hosts where different tenants require key separation. Volume encryption enables selective encryption of sensitive data while leaving less sensitive data unencrypted for performance. Encrypted volumes can be mounted and unmounted independently. Cloud provider encrypted volumes including AWS EBS encryption, Azure Disk Encryption, and GCP persistent disk encryption provide volume-level encryption with key management integration. Database Encryption Transparent Data Encryption (TDE) encrypts database pages and transaction logs, protecting data at rest within databases. TDE operates transparently to applications, requiring no query modifications. Application-layer encryption encrypts specific fields or columns, enabling fine-grained encryption based on data sensitivity. Field-level encryption supports least-privilege access where different users can access different encrypted fields. Application-layer encryption complicates database operations including indexing, searching, and sorting on encrypted fields. Deterministic encryption enables equality searches but provides weaker security than randomized encryption.Encryption Patterns
Envelope Encryption Envelope encryption separates Key Encryption Keys (KEKs) from Data Encryption Keys (DEKs), with KEKs stored in Hardware Security Modules or Key Management Services and DEKs encrypted by KEKs. Envelope encryption enables KEK rotation without re-encrypting all data, as only DEKs need re-encryption. This approach dramatically reduces re-encryption time and complexity. Per-object DEKs provide cryptographic isolation between objects, limiting blast radius from DEK compromise. Object-level DEKs enable fine-grained access control and key rotation. Application-Level Encryption Application-level encryption encrypts data before storage, providing end-to-end encryption where cloud providers never see plaintext data. Application-level encryption provides strongest protection but requires careful key management. Field-level and record-level encryption enable selective encryption based on data sensitivity. Sensitive fields like credit card numbers can be encrypted while less sensitive fields remain plaintext for searching and indexing. Searchable encryption techniques including deterministic encryption and order-preserving encryption enable limited searching on encrypted data, though with security tradeoffs. Deterministic encryption enables equality searches but leaks equality patterns. Tokenization Tokenization replaces sensitive data with non-sensitive tokens, with token-to-value mapping stored in secure token vaults. Irreversible tokenization uses one-way functions, preventing token-to-value lookup. Reversible tokenization enables token-to-value lookup for authorized users through token vault APIs. Token vaults should be hardened with strict access controls and comprehensive audit logging. Tokenization reduces PCI DSS scope by removing credit card data from most systems, with only token vaults requiring PCI compliance. Format-preserving tokenization maintains data format, enabling use in legacy systems.Cloud Encryption Considerations
Provider-Managed vs. Customer-Managed Keys Provider-managed keys including AWS SSE-S3 and GCP default encryption provide encryption at rest with minimal operational burden. Provider-managed keys are suitable for most workloads without regulatory key control requirements. Customer-Managed Encryption Keys (CMEK) provide customer control over encryption keys, enabling key rotation, access control, and audit logging. CMEK is required for regulatory frameworks requiring key management separation from cloud providers. CMEK increases operational complexity through key lifecycle management, rotation, and access control. Organizations should use CMEK only when regulatory or business requirements demand it. Cross-Account Key Management Cross-account KMS keys for backup vaults provide additional protection by separating backup encryption keys from production keys. Cross-account separation prevents production account compromise from affecting backup encryption. Deny-by-default key policies require explicit grants for key usage, preventing accidental or unauthorized key access. Key policies should be reviewed regularly and audited comprehensively. Every decrypt operation should be logged with resource principal information, enabling detection of unauthorized decryption attempts. Anomaly detection on decrypt operations identifies unusual access patterns.Key Rotation and Data Migration
Rolling Re-Encryption Key rotation requires re-encrypting data with new keys, which can be time-consuming for large datasets. Rolling re-encryption processes data in batches, spreading re-encryption over time to avoid performance impact. Re-encryption should be throttled to limit performance impact on production systems. Monitoring during re-encryption detects performance degradation or errors. Integrity verification after re-encryption ensures that data was correctly re-encrypted without corruption. Verification should include cryptographic checksums and sample decryption tests. Backpressure mechanisms prevent re-encryption from overwhelming systems, automatically slowing re-encryption when system load increases. Versioned Keys and Schemas Key versioning enables multiple key versions to coexist during rotation, with data encrypted by different key versions. Applications should support decryption with any valid key version. Schema versioning enables gradual migration to new encryption schemes. Dual-read support enables applications to read data encrypted with old and new schemes during migration. Migration completion requires verifying that all data has been re-encrypted with new keys and that old keys can be safely retired.Encryption Telemetry and Compliance
Key Usage Logging Comprehensive logging of key usage including encrypt and decrypt operations with resource principals enables detection of unauthorized key usage. Logs should include timestamp, principal, key ID, and operation type. Anomaly detection on key usage patterns identifies unusual access including access from unexpected locations, unusual volumes, or access to unusual keys. Automated alerting enables rapid investigation. Compliance Evidence Auditors require evidence that encryption is properly implemented and operating effectively. Evidence includes encryption configuration exports, key policy snapshots, and usage logs. Signed policy snapshots provide cryptographic proof of encryption configuration at specific points in time. Snapshots should be retained for audit periods. Encryption coverage reports demonstrate what percentage of data is encrypted, identifying unencrypted data requiring remediation.Conclusion
Data encryption at rest requires selecting appropriate encryption layers, implementing efficient key management, and providing comprehensive audit evidence. Security engineers design encryption architectures that balance security with operational efficiency while meeting compliance requirements. Success requires treating encryption as operational capability requiring monitoring, key rotation, and continuous compliance validation. Organizations that invest in encryption at rest fundamentals protect data from physical theft and unauthorized access while demonstrating security controls to auditors and customers.References
- NIST SP 800-111 Guide to Storage Encryption Technologies
- PCI DSS Tokenization Guidelines
- Cloud Provider Encryption Documentation
- FIPS 140-2/140-3 Cryptographic Module Validation