upvote

points

by ggm5 hours ago |
comments
upvoteby juggle-anyhow5 hours ago|
[-]
Encrypted at rest means something different. It means if you pull the hard drive out no one can decrypt it. Not that it is encrypted in the database.
reply
upvoteby stavros3 hours ago|
parent|
[-]
Does encryption at rest actually do much? The percentage of attacks that were perpetrated by people getting physical access to a drive must approach zero.
reply
upvoteby zoogeny22 minutes ago|
parent|
next
[-]
It generally has to do with risk models, especially in single tenant environments.

What I mean is, say I am a b2b service provider and I have a single database for some subset of my clients. That is, multiple clients data are held in the same database. There are many ways to do this but one way I have see is BYOK (Bring Your Own Key). You can have your clients give you secure access to a public/private key pair (e.g. through AWS secrets manager). Then you encrypt anything that gets written into the database using their key.

This means that if there is some security hole in your software that accidentally allows data to be exfiltrated from your servers (e.g. one malicious client sends API requests that allow for a query of data from another target client), the data the API returns will be encrypted using the target clients public/private key.

My own experience with security is that nothing is perfect and good security is like an onion. Encryption at rest isn't perfect and won't handle every possible malicious attack, but it is a layer in the broader strategy. The attacker has to both find a way to exfiltrate the data and trick the server into revealing the shared key. The idea being it is harder to do both than it may be to do either individually.

reply
upvoteby nicce3 hours ago|
parent|
prev|
next
[-]
Depends on what kind of data is in question. Backups and old incremential data can stay encrypted while disks are otherwise in use.
reply
upvoteby stavros3 hours ago|
parent|
[-]
Hm yeah, I always think of encryption at rest as "the drive handles encryption itself", rather than "we encrypted these archives before we wrote them", but fair enough.
reply
upvoteby literalAardvark3 hours ago|
parent|
[-]
Not necessarily the drive, but yeah, where standards mandate encryption at rest you need to have the files on the live disk encrypted.

Usually it's much less of a headache to luks/bitlocker/SED the whole drive so that you don't have to worry about swap files and logs

reply
upvoteby alternatex3 hours ago|
parent|
prev|
next
[-]
I think it's also meant to protect from potential mistakes in handling of hard disk decommissioning which presumably is a common thing with data centers.
reply
upvoteby SoftTalker2 hours ago|
parent|
[-]
Used to be, but e.g. where I work any decommissioned drive has to be DBANed (if it's spinning platters) or secure-erased (SSDs). If it can't be for some reason (e.g. it has failed) it needs to be physically destroyed. I would hope most data centers have similar policies in 2026, but that may be optimistic I guess.
reply
upvoteby dmkolobov2 hours ago|
parent|
prev|
[-]
Unless the attacker is law enforcement.
reply
upvoteby stavros2 hours ago|
parent|
[-]
Law enforcement will just get you to give them the keys.
reply
upvoteby dmantis2 hours ago|
parent|
[-]
Law enforcement of another jurisdiction won't, but can try to snoop into the data.
reply