This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Encryption at Rest Guide

Encryption at Rest Guide

Encryption at Rest Guide

Encryption at Rest Guide

Encryption at Rest Guide

Encryption at Rest Guide

Encryption at Rest Guide

Encryption at Rest Guide

Encryption at Rest Guide

Encryption at Rest Guide

What Is Encryption at Rest?

Encryption at rest protects data stored on disk or in databases by making it unreadable without the correct decryption key. If an attacker gains physical access to storage media or bypasses access controls, encrypted data remains confidential. This is a fundamental security control required by compliance frameworks including PCI DSS, HIPAA, SOC 2, and GDPR.

Encryption Layers

| Layer | What It Protects | When to Use | |-------|------------------|-------------| | Disk encryption | Entire storage volume | Always | | Database encryption | Specific tables or columns | Sensitive PII data | | File-level encryption | Individual files | Shared storage, backups | | Application-level encryption | Specific data fields | End-to-end data protection | | Backup encryption | Backup archives | All offsite storage |

Disk-Level Encryption

LUKS (Linux Unified Key Setup)

Encrypt a disk with LUKS

sudo cryptsetup luksFormat /dev/sdb1

sudo cryptsetup luksOpen /dev/sdb1 encrypted_volume

sudo mkfs.ext4 /dev/mapper/encrypted_volume

sudo mount /dev/mapper/encrypted_volume /mnt/secure

AWS EBS Encryption

Enable default EBS encryption

aws ec2 enable-ebs-encryption-by-default --region us-east-1

Create an encrypted volume with a custom KMS key

aws ec2 create-volume \

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\--size 100 \

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\--region us-east-1 \

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\--availability-zone us-east-1a \

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\--encrypted \

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\--kms-key-id alias/my-app-key

GCE Persistent Disk Encryption

Google Cloud uses AES-256 by default (CSEK for customer-managed)

---

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.