What is Encryption at Rest?
Encryption at rest is the practice of storing data in encrypted form on persistent storage — such as disks, databases, or backup media — so that the data remains protected even if the storage medium is compromised.
Data at rest refers to any data that is stored persistently, as opposed to data in transit (moving across a network) or data in use (being processed in memory). Encryption at rest protects against threats like stolen hard drives, unauthorized database access, compromised backup tapes, and cloud storage breaches.
Encryption at rest can be implemented at different layers. Full-disk encryption (like BitLocker or LUKS) encrypts everything on a drive. Database-level encryption (like TDE) encrypts data files transparently. Application-level encryption encrypts data before writing it to any storage, giving the application full control over who holds the keys.
The critical question with encryption at rest is who holds the keys. If the same server that stores the encrypted data also stores the decryption keys, a full server compromise exposes everything. The strongest approach separates key management from data storage entirely, so that compromising the storage alone is insufficient to read the data.
How Vaulted uses Encryption at Rest
Vaulted provides encryption at rest by design. Secrets are encrypted with AES-256-GCM in the browser before being sent to the server, and stored as ciphertext in Redis. The encryption key never reaches the server — it lives solely in the URL fragment. This means the data at rest in Redis is encrypted with keys that exist in a completely separate location (the shared link), providing a strong separation between encrypted storage and key material.