All HowTo's

Encryption at Rest – What Qualifies?

To put it simply, if a hacker gains access to your system and can access the data as normal, then the data is not encrypted at rest.  See the table below:

There’s two types of so-called “encryption at rest” and each protects against the same thing with one exception, hackers. The “full disk encryption” will not protect the data from someone who has system login access (or guesses the login credentials) to the server (provided the encrypted filesystem is mounted). However, it will protect against theft and data remanence. The “application later encryption” will protect against those who have access to the data but not the decryption key, as well as protecting against theft and data remanence.

So what is application later encryption? The idea is that the application takes encrypted data from the disk or database, decrypts it on the fly, processes it (like displaying it to the user), and then the reverse happens when it comes time to save the data to the disk.

And what is full disk encryption? Call it volume level encryption, or filesystem level encryption. The operating system saves and loads data to/from the filesystem through drivers that know the filesystem is encrypted, and it accounts for it at the OS level. The applications don’t know anything about encryption. When the OS boots, the user/administrator is required to enter the decryption key. The TPM chip may assist at this point.

So what’s the best solution? Both. Combine them.

Here’s the obvious discussion point:

  • Application later encryption protects the data specifically encrypted, not the scraps. So for theft and data remanence, full disk encryption is better.

The point I’m trying to make here is that; if you’re required (for insurance reasons, or for compliance) to “do” encryption at rest, doing just “volume level” full disk encryption is probably not what they’re asking of you. And if you want to protect against hackers gaining access to your data, then application later encryption is for you.

It’s much easier to architect the “full disk encryption” because most operating systems support filesystems that support encryption. Done. But application later encryption requires the developers of the application that “saves” and “retrieves” the data from disk to code it in such a way that the data is encrypted and decrypted as the data is “saved” and “retrieved”.

Here’s a Wikipedia article on the topic.

Leave a Reply

Your email address will not be published. Required fields are marked *