Ask HN: What is the point of encryption at rest?

3 points by cpitman ↗ HN
Every time there is a data breach, one of the take aways is that the company didn't encrypt their data at rest. The implication is that if they had encrypted at rest, then the data would not have been stolen.

But at rest encryption only protects against someone stealing the actual storage device (and even then, only if they cannot also steal the key). This is a major issue for mobile devices like laptops, but in a data center this means the attacker has physical access to your storage and servers. And once they have physical access, there are lots of other ways that they could compromise data and systems.

So how often would at rest encryption actually have prevented a data breach? Why is it being treated like a major preventative measure?

4 comments

[ 0.29 ms ] story [ 19.3 ms ] thread
At rest encryption would not prevent a breach from happening per se. The data the breach reveals however, maybe less than accessible due to the encryption. The data could be accessed but not easily read. That is the hope anyhow.
This is assuming the breach is stealing a disk though, right? If the encrypted storage is part of an application, and I infiltrate the application or can trick it into serving me data, then the encryption cannot help. Any runtime breach isn't really prevented by encryption at rest.
IIRC one data breach method back in the old days was "employee leaves backup tape someplace". Encryption-at-rest does a good job in that scenario.

Beyond that, seems like most of the physical-access compromises still involve at least some interaction with the software - so they would (in principle) leave traces and/or be detected by IDS. Walking up to a server and physically removing a hot-swap drive doesn't, so encryption at rest ensures that that attack won't work.

Database encryption would probably protect against an attacker scping files out.