ENCRYPTION-AT-REST
Encryption of stored data — AES-256-GCM with key rotation.
Definition
Recommended standard: AES-256-GCM (FIPS 140-3 approved) or XChaCha20-Poly1305. Keys managed by AWS KMS / GCP KMS / Azure Key Vault / HashiCorp Vault Transit / HSM. Yearly rotation minimum. For databases: Transparent Data Encryption (TDE) or app-level (column-level) encryption. For object storage: S3 SSE-KMS / GCS CMEK.
Origin
Widespread practice since 2010 with FIPS 197 (AES) and regulatory pressure (HIPAA, PCI DSS, GDPR).
Example in context
An S3 bucket with SSE-KMS encrypting all EDIFACT files deposited, using a 12-month rotated CMK key.
Related terms
- Encryption in transit — during transmission.