
Ask HN: Why use cloud service (e.g. S3) encryption at rest? - tsukaisute
The key is stored in the same system somewhere (or your app wouldn&#x27;t function). A rogue employee can find the key if they want. Is there a practical benefit other than additional compliance checkboxes being checked?
======
pmontra
If you store data and your web app doesn't need to read it back, you can use
asymmetrical cryptography. It's slower but it's safe in that threat model.
You'll have to download the files to decrypt them.

But even symmetrical cryptography have some value. If the attackers can
download the files from S3 but they can't crack the web app, they can't access
their content. Only very few employees should have the encryption key. If they
know that only 3 of them have it, they should think twice about doing
something wrong. If everybody knows it, it's a free for all.

