← Glossary·Security

Encryption at Rest

SOC 2ISO 27001HIPAAPCI DSS

Cryptographic protection of stored data — typically AES-256 with KMS-managed keys.

Encryption at Rest protects stored data using cryptographic algorithms (AES-256-GCM is the standard) with keys managed by a KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault). Customer-Managed Keys (CMK) and Bring-Your-Own-Key (BYOK) extend control to the customer.

Why it matters
Required by HIPAA Security Rule §164.312(a)(2)(iv), PCI DSS 3.5/3.6, and effectively required by SOC 2/ISO 27001 to claim Confidentiality.

Related terms

Encryption in Transit
TLS protection of data moving across networks — TLS 1.2+ is the floor; TLS 1.3 preferred.
Key Management Service (KMS)
Managed service for creating, rotating, and authorising use of cryptographic keys.
Tokenisation
Replacing sensitive data (typically PAN) with a non-sensitive surrogate value (token).

Does your program actually cover Encryption at Rest?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary