100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is Data Encryption at Rest in a Database?

Learn what encryption at rest is, how transparent data encryption protects stored files, and its limits versus a compromised login.

mediumQ166 of 228 in Database Est. time: 5 minsLast updated:
Open Code Lab

Expected Interview Answer

Data encryption at rest means the data stored on disk β€” table files, indexes, backups, and logs β€” is encrypted so that anyone who gains raw access to the storage medium cannot read the actual values without the correct decryption key.

Most database engines support this either through transparent data encryption (TDE), which encrypts entire data files at the storage layer with no application changes required, or through column-level encryption, which encrypts specific sensitive fields individually before they are written. TDE typically uses a symmetric data-encryption key protected by a separate master key managed in a key vault or hardware security module, so the database transparently decrypts pages into memory when a legitimate query runs but the on-disk bytes remain unreadable ciphertext. This protects against threats like a stolen disk, an improperly discarded backup tape, or unauthorized filesystem access, though it does not protect against a compromised database account that has already been authenticated and can query the data normally.

  • Protects data if physical disks or backups are stolen
  • Requires little to no application code change with TDE
  • Satisfies compliance requirements like PCI-DSS and HIPAA
  • Combines with key rotation for stronger long-term protection

AI Mentor Explanation

A cricket board stores its confidential player contracts in a locked archive room, and even if a thief physically breaks into the building and steals the filing cabinet, the documents inside are written in a private code only the board’s registrar can decode with the master key. Anyone with legitimate registrar access can still read every contract normally. Encryption at rest works the same way: the stolen disk or backup is useless ciphertext without the decryption key, even though an authorized database session reads the data in plain form.

Step-by-Step Explanation

  1. Step 1

    Choose an encryption approach

    Decide between transparent data encryption (whole data files) or column-level encryption (specific sensitive fields).

  2. Step 2

    Generate and store the master key

    Create a master key and store it in a dedicated key vault or hardware security module, separate from the data.

  3. Step 3

    Encrypt the data-encryption key

    Protect the actual data-encryption key by wrapping it with the master key, following envelope encryption practice.

  4. Step 4

    Enable encryption and rotate keys

    Turn on TDE (or apply column encryption) and establish a periodic key rotation policy for long-term protection.

What Interviewer Expects

  • Clear definition distinguishing encryption at rest from encryption in transit
  • Understanding of transparent data encryption vs column-level encryption
  • Awareness that a compromised authenticated session bypasses at-rest protection
  • Mention of key management (master key, vault/HSM) as essential to the design

Common Mistakes

  • Confusing encryption at rest with encryption in transit
  • Assuming encryption at rest protects against a compromised database login
  • Storing the encryption key alongside the encrypted data itself
  • Forgetting that backups also need to be encrypted, not just live data files

Best Answer (HR Friendly)

β€œEncryption at rest means the actual files a database stores on disk, including backups, are scrambled with a key so that if someone steals a hard drive or backup tape, they cannot read anything useful without that separate key. It is a baseline security and compliance requirement, but it is not a substitute for controlling who is allowed to log in and query the database normally.”

Code Example

Enabling transparent data encryption and encrypting a column
-- Enable transparent data encryption for the whole database (engine-specific syntax)
ALTER DATABASE CustomerDB SET ENCRYPTION ON;

-- Column-level encryption for a specific sensitive field
CREATE TABLE Customers (
  customer_id INT PRIMARY KEY,
  name VARCHAR(100),
  ssn_encrypted VARBINARY(256) -- stores AES-encrypted SSN bytes, not plaintext
);

-- Application encrypts before INSERT and decrypts after SELECT
-- using a key retrieved from a separate key management service.

Follow-up Questions

  • How does transparent data encryption differ from column-level encryption?
  • What is envelope encryption and why is it used for key management?
  • Does encryption at rest protect against a SQL injection attack?
  • How should encryption keys be rotated without downtime?

MCQ Practice

1. What does encryption at rest primarily protect against?

Encryption at rest protects the data stored on disk, so stolen or leaked storage media cannot be read without the key.

2. Where should the master encryption key be stored?

Keeping the master key separate from the data it protects is essential, typically via a dedicated key vault or HSM.

3. Which scenario is encryption at rest NOT designed to prevent?

Once a session is authenticated, the database decrypts data for normal queries, so encryption at rest does not stop misuse by an authenticated account.

Flash Cards

What is encryption at rest? β€” Encrypting data stored on disk (files, indexes, backups) so stolen storage media cannot be read without the key.

What is transparent data encryption (TDE)? β€” Whole-database-file encryption at the storage layer requiring no application code changes.

What does encryption at rest NOT protect against? β€” A compromised, already-authenticated database session querying data normally.

Where is the master key stored? β€” Separately from the data, typically in a key vault or hardware security module.

1 / 4

Continue Learning