Protect data at rest

Data at rest represents any data you maintain in non-volatile storage. Encrypting data at rest and implementing secure access to your data are two ways you can protect your data from security threats.

The following are solutions for encrypting data at rest:

• Encrypt individual files using pretty good privacy (PGP)
• Use server-side tools such as transparent data encryption (TDE) in Microsoft SQL Server
• Enable encryption in your storage services such as Amazon S3 server-side encryption (SSE) or physical storage arrays such as the IBM Storage FlashSystem

Before encrypting data at rest, classify your data to determine which assets require the strongest protections.

Why protect data at rest

Protecting data at rest is critical to prevent unauthorized access and mitigate the impact of data breaches. Encryption is also part of many compliance frameworks, such as PCI DSS and SOC 2, and is a key component of a defense-in-depth strategy.

• Protect data across all data lifecycle stages: Organizations tend to focus security efforts on data in transit, but stored data is also at risk. Backup tapes, archived datasets, and cloud storage buckets all represent attack surfaces. A major bank lost an unencrypted backup tape containing customers' social security numbers and bank account information and exposed datasets written to cloud storage are now a routine industry headline.

• Prevent unauthorized access through layered encryption: Relying on a single layer of encryption leaves data vulnerable. Many cloud storage services offer encryption, but the data is often readable with just a username and password, leaving it exposed to brute force attacks or phishing scams. Encrypting both the data itself and the storage service closes the gap that single-layer approaches leave open. For related guidance, refer to protect data in transit and protect sensitive data.

• Manage encryption keys separately from data: Encrypting data is only as strong as the security of the keys that protect it. Compliance frameworks such as PCI DSS and SOC 2 require periodic key rotation, and many breaches occur not from broken encryption but from compromised or long-lived credentials. Storing encryption keys separately from the data they protect limits the impact of a key compromise.

Protect data at rest with Vault

HashiCorp Vault enables you to manage encryption keys and encrypt data at rest. Vault, itself, is not a storage service like Amazon S3 or a database, but it can encrypt data before it is stored in external services.

For example, when working with a Microsoft SQL Server, you can use Vault's transit secrets engine to manage Transparent Data Encryption (TDE) keys instead of manually protecting the keys.

When you store a key encryption key (KEK) in Vault, you can rotate the key to meet compliance requirements such as PCI DSS and SOC 2. Vault's transit secrets engine supports a rotate operation to rotate the key.

Once you rotate the key, you can force SQL Server to re-encrypt the data encryption key (DEK) with the new KEK.

You can also use Vault to control access to data, gaining another layer of data protection. Vault can secure access to your external data using dynamic credentials. These dynamic credentials have a lifecycle attached to them, and Vault automatically revokes them after a predefined period of time.

For example, you can use Vault to issue your CI/CD pipeline dynamic credentials to an external service, such as a PostgreSQL database. Dynamic secrets allow your CI/CD pipelines to access your data at rest, and then once the pipeline finishes, Vault revokes the credentials. The next time your pipeline runs, Vault issues your pipeline new credentials.

For workloads that cannot use short-lived dynamic credentials, Vault's database secrets engine supports static roles. With static roles, Vault automatically rotates database passwords on a configurable schedule without manual intervention. The database secrets engine supports several databases including PostgreSQL, Microsoft SQL, MySQL, MongoDB, Snowflake, and Redis. Refer to the database secrets engine documentation for the full list.

HashiCorp resources

• Learn to use Vault dynamic secrets
• Learn to use the versioned key/value secrets engine
• Manage secrets for CI/CD pipelines
• Configure transparent data encryption for Microsoft SQL with Vault
• Learn to re-wrap data after encryption key rotation
• Read the database secrets engine documentation for all supported databases
• Classify data before encrypting it
• Protect data in transit using Vault and Consul

External resources

• Read about the Bank of New York Mellon data tape breach
• Learn about cloud leaks and exposed datasets
• Read the NIST block cipher techniques documentation

Next steps

In this section of how to Secure data, you learned about how to secure and encrypt data at rest using HashiCorp Vault. Protect data at rest is part of the Secure systems pillar.

Visit the following documents to continue building your data protection strategy:

• Protect data in transit to secure data as it moves between systems
• Tokenize data to replace sensitive values such as credit card numbers or patient records with non-sensitive tokens
• Use policy as code to enforce encryption requirements across your infrastructure