What is Encryption at Rest?

Encryption at rest is a critical technical control that protects data in databases, file systems, backups, and removable media. Modern implementations typically use AES-256 for symmetric encryption, with key management being the most complex aspect. Organizations must decide between provider-managed keys (simplest), customer-managed keys stored in the provider's key management service (more control), and customer-provided keys managed entirely outside the provider (maximum control but highest operational burden). Major cloud providers offer transparent encryption at rest by default for most storage services, but organizations must verify that all data stores — including databases, object storage, block storage, and backup systems — are covered. HIPAA's Security Rule identifies encryption as an addressable implementation specification, meaning organizations must implement it or document why an equivalent alternative measure is used. SOC 2 auditors verify encryption at rest as part of the Confidentiality criterion. Proper key rotation schedules, secure key storage, and key access logging are equally important as the encryption itself.