In this guide, we will cover what encryption at rest is, how it works, and how we implemented it at Mailfence.
What is Encryption at Rest ?
Encryption at rest is the practice of protecting data stored on a device, by encoding it with encryption algorithms. It is the encryption method for “Data at rest” ie. data currently in storage, typically on a computer’s or server’s hard disk.
Encryption at rest differs from encryption in transit, which is used to protect data while it is moving between locations. Additionally, it contrasts with data in use, which refers to data that is actively loaded into memory and being processed by a software application.
| Type | Where is it? |
|---|---|
| Data at rest | Storage |
| Data in transit | Traveling over networks |
| Data in use | Memory |
Encryption at rest helps ensure that sensitive information remains confidential even in case of loss or theft of a device. Unauthorized individuals who access storage media, like hard drives or cloud servers, cannot decipher the data without decryption keys. You can think of encryption at rest as locking valuables in a safe. Even if someone enters the house, they cannot open the safe without the correct combination.
How Does Encryption at Rest Work?
When data is stored on a device, an encryption algorithms converts readable information into unreadable characters. For example, sensitive data like “User Password: 12345” transforms into a scrambled string like “lJf9#%!@7^g12.”
The encryption process typically involves two main components:
- the encryption algorithm which determines how to transform the data;
- and the key, which acts as the “secret” that unlocks the original information.
Encryption at rest can operate at different levels depending on the implementation:
- some systems encrypt data at the file level, protecting specific files or folders;
- others apply full-disk encryption (also called block-level encryption) which secures the entire storage device. Once the device is turned on, all the data is decrypted.
- finally, store-level encryption protects data while stored in structured systems. This means that even when the disk is turned on, all the data remains encrypted. It is only when a piece of data is called that that specific data is decrypted.
Encryption at rest systems often rely on encryption keys stored in secure environments, such as hardware security modules (HSMs), to manage encrypted data.
These devices keep keys safe from unauthorized access and provide an additional layer of security by isolating them from general access within the system.
Modern systems frequently automate the encryption and decryption processes to ensure usability and efficiency. When users access encrypted data, the system temporarily decrypts it in memory, allowing authorized actions while keeping stored data secure.
For example, in a cloud storage service, files remain encrypted on the server but are decrypted on the user’s device when accessed through valid credentials and permissions.
How Mailfence Implements Encryption at Rest
While lots of applications implemented block-level encryption (or full-disk encryption), we opted for store-level encryption. This presents several advantages:
- even when mounting (i.e. turning on) the server hard drive, all user data remains encrypted. It is only when a user calls an email (or file.) that that specific data is decrypted;
- store-level encryption allows for advanced key management with more control (multiple keys for multiple stores). This means that if one key is compromised for one store, the rest of the stores are not compromised.
- Store-level encryption also allows you to store backups of specific stores by encrypting them in-house first (i.e., you are not relying on the encryption of a third party).
However, it is important to note that encryption at rest does not protect you against all threats.
Encryption at rest only adds an additional layer of protection against physical theft. It does not protect you from attackers who manage to get into your system (e.g. over the Internet) or from interception of data in transit.
It also doesn’t mean you shouldn’t use end-to-end encryption! E2EE should be your top priority and your best line of defense against mass surveillance.
If you want to learn more about securing your online life, check out our email security and privacy awareness course.
Conclusion
That’s it for this guide on encryption at rest, and how we implemented it here at Mailfence.
If you would like more technical details on our implementation, please feel free to reach out to us at support@mailfence.com
