Think about data-at-rest encryption as a bit like the OSI model we use for networks: a layered system where each tier plays a distinct role. You wouldn’t trust a network defended at only one layer, and storage is no different! Every layer has blind spots, but when those layers stack together, one of top of each other they cover each other’s weaknesses. That’s what turns ordinary encryption-at-rest into true defense-in-depth.
Storage Encryption Layers #
| # | Description |
|---|---|
| 5 | Application |
| 4 | File System |
| 3 | Volume(s) |
| 2 | RAID |
| 1 | Drive Encryption |
| 0 | BIOS |
Detailed Breakdown #
| Layer | Description | Common Examples | Strengths |
|---|---|---|---|
| Application | Encrypts sensitive fields, columns, or entire tables inside the app or DB. | SQL Server TDE, MongoDB FLE, app-level crypto | Protects data even if backups or disks are exposed; supports granular access control |
| File System | Encrypts individual files or directories on the filesystem. | EFS (Windows), GnuPG, age | Granular control, per-file sharing and key separation |
| Volume(s) | Encrypts logical volumes or containers rather than raw disks. | VeraCrypt volumes, LVM with dm-crypt | Flexible: can target specific volumes; transparent to apps |
| RAID | Encrypts at the controller or array level across multiple disks. | Controller-level RAID encryption | Protects data spread across disks; can be transparent to OS |
| Drive | Full-disk or hardware-based encryption for physical drives. | BitLocker, LUKS, Self-Encrypting Drives | Strong protection for lost/stolen drives; transparent boot after unlock |
| BIOS | Ensures firmware integrity and a measured/secure boot path. | UEFI Secure Boot, TPM measured boot | Prevents early-boot tampering and enforces trusted boot chain |
Extended Considerations #
Beyond the layers shown above, consider:
-
Cloud Object / Blob Storage Encryption
- Cloud providers often encrypt objects at rest (e.g., S3 SSE, Azure Storage Service Encryption). Customers can bring their own keys (BYOK) for stronger control and separation of duties.
-
Backup / Archive Encryption
- Backups, snapshots, and archival media need their own encryption and key management, especially when held offsite or by third parties.
-
Memory / Swap Encryption
- Encrypt swap/page files or use memory encryption features to protect sensitive data paged from RAM to disk.
-
Key Management and Rotation
- Encryption is only as strong as key handling: use dedicated KMS/HSMs, enforce least privilege, rotate keys, and audit access.
-
Access Controls and Secrets Management
- Combine encryption with robust IAM, secrets management, and audit logging to reduce exposed attack surface.
Keys #
There’s little point in encrypting data, if the keys to provide access to the encrypted data are also within the same system. Sometimes, this is unavoidable. Always consider what key handling options there are. Remember, if you lose the keys it’s unlikely you’ll get the data back. This is a big topic on it’s own, but please ensure you have backups (encrypted) and good key handling!
Conclusion #
Storage encryption isn’t just “turning on BitLocker.” Like the OSI model, each layer addresses different threats. By combining multiple layers and applying solid key management and access controls, you build a more resilient defense for data at rest.
Reply by Email