We help IT Professionals succeed at work.

How do you encrypt data at rest?

hi guys,

If someone asks 'do you encrypt your data at rest'? on a Windows 2012 Fileserver, then how would you implement that? We also have Sophos AV  on all machines in case that helps?

Thanks for helping
Watch Question

Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2019

Something like BitLocker. Encrypting what data exactly?

With SQL you can use SQL Always Encrypted for example
Senior CyberSecurity Engineer
I second BitLocker or HDD encryption...with EFS
Search for a few recent discussions we have ha d here this week

Something like BitLocker best practices
ste5anSenior Developer
Only software encryption!

Cause some hardware vendors have terribly failed in implementing proper encryption.

EDIT: just some HW fails..

 2012 (Sandforce):

 2015 (Western Digital):

 2018 (Crucial, Samsung):
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2019
If you prefer Sophos, you can use Sophos SafeGuard Enterprise which can manage the keys
David FavorFractional CTO
Distinguished Expert 2019
At rest data encryption seems easy to accomplish...

Use an encrypted filesystem or use database row or column encryption.

Here's the problem...

Now that your data is encrypted, how you manage + rotate your encryption/decryption keys determines your security.

You data is only secure as your decryption key + strategy.
btanExec Consultant
Distinguished Expert 2019
Data at rest is basically
... all data in storage but excludes any data that frequently traverses the network or that which resides in temporary memory. Data at rest includes but is not limited to archived data, data which is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and also files stored off-site or on a storage area network (SAN).
So for windows, Bitlocker for Disk encrypted as the baseline. Next layer of protection at file level, such as use of EFS. OR use Active Directory Rights Management Services (AD RMS) with embedded access rights on top of encryption - tends to add in this for securing more  sensitive information such as health records so that the encryption/rights persists within the file even if leaked.
Sounds like someone's asking about PCI compliance. You've already gotten some good answers (BitLocker's quick and easy, and if your'e just concerned about database data, the suggestion about SQL Always Encrypted is a good one), but just in case you're not sure what it MEANS as a concept...

Imagine you have a web application that is rock-solid and REALLY REALLY secure. The code has oodles of layers of security, two-factor authentication, been pen-tested, etc... Now imagine your web application is physically hosted on a server in some network room. It turns out that a disgruntled ex-employee's keycard still works, so at night he goes into the room and steals the server.

Now, the Windows passwords have changed, so he can't log in, so he turns off the PC and pulls out the hard drives and plugs the drives into his own computer.

At this point, he can copy all the data from that connected hard drive without knowing the Windows password. That means he could copy the database and access the data inside.

However, if you have some kind of encryption-at-rest implemented, it means that your data is SAVED in an encrypted form (while it's "resting"), so that even if this hacker guy copied everything from the server, he'd just be copying encrypted data and he wouldn't be able to use it without the decryption key, so that kind of physical attack is rendered useless.