
Ask HN: What is the point of encryption at rest? - cpitman
Every time there is a data breach, one of the take aways is that the company didn&#x27;t encrypt their data at rest. The implication is that if they had encrypted at rest, then the data would not have been stolen.<p>But at rest encryption only protects against someone stealing the actual storage device (and even then, only if they cannot also steal the key). This is a major issue for mobile devices like laptops, but in a data center this means the attacker has physical access to your storage and servers. And once they have physical access, there are lots of other ways that they could compromise data and systems.<p>So how often would at rest encryption actually have prevented a data breach? Why is it being treated like a major preventative measure?
======
al2o3cr
IIRC one data breach method back in the old days was "employee leaves backup
tape someplace". Encryption-at-rest does a good job in that scenario.

Beyond that, seems like most of the physical-access compromises still involve
at least some interaction with the software - so they would (in principle)
leave traces and/or be detected by IDS. Walking up to a server and physically
removing a hot-swap drive doesn't, so encryption at rest ensures that _that_
attack won't work.

------
gebeeson
At rest encryption would not prevent a breach from happening per se. The data
the breach reveals however, maybe less than accessible due to the encryption.
The data could be accessed but not easily read. That is the hope anyhow.

~~~
cpitman
This is assuming the breach is stealing a disk though, right? If the encrypted
storage is part of an application, and I infiltrate the application or can
trick it into serving me data, then the encryption cannot help. Any runtime
breach isn't really prevented by encryption at rest.

------
wmf
Database encryption would probably protect against an attacker scping files
out.

