EIVUS

Encryption at Rest for Server Data

Encrypt disks and volumes; key management and provider options.

Back to blog

Encryption at rest protects data if media is lost or stolen. Use LUKS on Linux or provider-managed encryption. Manage keys securely; some providers hold keys, others let you bring your own (BYOK). Check compliance requirements.

Why encrypt at rest

  • Threat: If a disk, volume, or backup is lost, stolen, or decommissioned without secure wipe, someone could read the data. Encryption at rest ensures that without the key, data is unreadable.
  • Compliance: Many standards (PCI-DSS, HIPAA, GDPR-related) require or recommend encryption of sensitive data at rest. Check your industry and contract requirements.
  • Scope: Encrypt databases, volumes, backups, and snapshots. Key management and access control are as important as the algorithm.

Linux: LUKS

  • LUKS: Linux Unified Key Setup. Full-disk or partition encryption. Use cryptsetup to create and open volumes. Key can be passphrase, file, or (with integration) a TPM or HSM. Standard on many distros.
  • Setup: Create encrypted volume; format with filesystem on top; mount with key. Document how to unlock (e.g. passphrase in vault, key file on separate medium). Test recovery procedure.
  • Performance: Modern CPUs have AES-NI; overhead is usually low. Measure if you have very I/O-heavy workloads.

Provider-managed encryption

  • Default: Many cloud and hosting providers encrypt volumes and backups by default. Keys are held by the provider (they can decrypt for their operations or if compelled). Often sufficient for general compliance.
  • BYOK: Bring Your Own Key. You supply a key (e.g. from your KMS or HSM); the provider uses it to encrypt your data. You control rotation and revocation. Required for some strict compliance or zero-trust. More operational burden; ensure you do not lose the key (data becomes unrecoverable).
  • Ask: Where are keys stored? Who can access them? What happens on key loss? Is BYOK available and what is the process?

Key management

  • Rotation: Plan key rotation (e.g. yearly or after staff change). With LUKS you can re-encrypt or add a new key slot. With provider encryption, check their rotation and BYOK options.
  • Access: Limit who can use or view keys. Audit key access. Revoke access when team members leave.
  • Backup: If you hold keys (BYOK or LUKS passphrase), back them up securely. Losing the only copy means losing the data. Use HSM or vault for production keys.

Summary

Encryption at rest protects data if media is lost or stolen. Use LUKS on Linux or provider-managed encryption. Manage keys securely; check whether provider holds keys or BYOK is available. Check compliance requirements.

Clients who trust us