Encryption at Rest: What is it good for?

Encryption at rest also called server-side encryption involves encrypting data as it is written to disk and decrypting it when read from the disk. Cloud infrastructure services typically offer server-side encryption, where the encryption and decryption processes are transparent to developers or application code.

Here’s a high-level overview of how decryption happens in server-side encryption:

1. Encryption Process: When data is written to the disk or storage system, it undergoes an encryption process. The data is transformed using an encryption algorithm, typically AES (Advanced Encryption Standard), along with a unique encryption key.
2. Encryption Key Management: The encryption keys used for server-side encryption are managed by the cloud service provider. These keys are securely stored and associated with the encrypted data.
3. Read Operation: When a user or application requests to read the encrypted data, the decryption process is triggered. The cloud service retrieves the encrypted data from the disk or storage system.
4. Decryption Key Retrieval: The cloud service provider retrieves the appropriate encryption key associated with the encrypted data. This key is required to decrypt the data.
5. Decryption: Using the retrieved encryption key, the cloud service provider applies the decryption algorithm, which is the inverse of the encryption algorithm used during the encryption process. This reverses the encryption process and transforms the encrypted data back into its original, plaintext form.
6. Data Delivery: Once decrypted, the data is delivered to the user or application making the read request. The data is now in a readable format and can be processed or presented as needed.

In AWS no additional decryption access control is required. AWS handles the encryption and decryption operations transparently, providing a convenient and safe approach to protect your data.

So what good comes from the server-side of encryption?

If a malicious party gains unauthorized access to the storage or disk where the encrypted data is stored, they will only see scrambled or unintelligible data.

This is because the data is encrypted using AWS’s encryption mechanisms, and decryption can only occur through the regular flow provided by AWS. Without access to the appropriate decryption keys and the AWS infrastructure, the encrypted data remains secure and unreadable to the malicious party.

Common attacks that server-side encryption helps defend against

• Physical Access: Prevents unauthorized access to storage media, as encrypted data remains unreadable without encryption keys.

• Data Breaches: Even if data is stolen, it remains encrypted, requiring encryption keys for decryption and understanding.

• Insider Threats: Protects against authorized individuals attempting to access or steal sensitive data, as encryption keys are necessary for viewing.

• Cloud Infrastructure Compromise: Guards against attacks targeting the underlying infrastructure, as encrypted data remains secure without encryption keys.

• Data Leaks: Prevents accidental or intentional sharing of sensitive data by keeping it encrypted and unintelligible to unauthorized parties.

• Data Recovery and Disposal: Provides security during data recovery or disposal, ensuring encrypted data remains protected and inaccessible to unauthorized individuals.