_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

Encryption at Rest — Encrypting Stored Data

15. 11. 2023 Updated: 24. 03. 2026 1 min read intermediate
This article was published in 2023. Some information may be outdated.

Encryption at rest protects data against physical access to the disk or database. Both a compliance requirement and common sense.

Encryption layers

  • Full Disk Encryption: LUKS, BitLocker, FileVault
  • File/Volume: dm-crypt, VeraCrypt
  • Database: TDE (Transparent Data Encryption)
  • Application-level: Encryption in code before storage
  • Cloud: AWS KMS, Azure Key Vault, GCP KMS

LUKS — Linux

Disk encryption

cryptsetup luksFormat /dev/sdb cryptsetup luksOpen /dev/sdb encrypted_disk mkfs.ext4 /dev/mapper/encrypted_disk

Application-level

from cryptography.fernet import Fernet key = Fernet.generate_key() # Store in KMS! f = Fernet(key) encrypted = f.encrypt(b”sensitive data”) decrypted = f.decrypt(encrypted)

Key Takeaway

Encrypt data at all layers — disk, database, application. Keys in KMS, never alongside the data.

securityencryptionaeskms
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

Key Rotation — Rotating Cryptographic Keys

Why and how to rotate encryption keys. Automation, grace period, re-encryption.

Secrets in Kubernetes

How to properly manage secrets in K8s. External Secrets, Sealed Secrets, Vault.

HashiCorp Vault — the secrets management we were missing

Passwords in environment variables, API keys in ConfigMaps. How HashiCorp Vault centralizes secrets management.

Container Security — Docker and Kubernetes in Production

Docker container and Kubernetes cluster security — base image scanning, Pod Security Policies, Network Policies,...