What is Encryption at Rest?
Turkish: Bekleyen Veri Şifreleme (Encryption at Rest)
Encryption at rest protects data stored on disks, databases, or backups with keys, reducing exposure from unauthorized access.
What is Encryption at Rest?
Encryption at rest means keeping data encrypted when it is not actively moving over a network. Files on disk, database tables, object storage items, backups, and archives all fall into this category. The goal is to make data unreadable if storage media or an unauthorized account is compromised.
This is different from SSL/TLS, which protects data in transit. TLS protects data while it moves; encryption at rest protects data where it is stored. In practice, disk encryption, database encryption, field-level encryption, and backup encryption may be used together at different layers.
Key Management
The security of encryption depends heavily on key management. Keys should not be hardcoded in application code; they should be stored in controlled systems such as KMS or HSM services, audited when accessed, and rotated through a defined process. Some designs separate data keys from master keys, a pattern known as envelope encryption.
Under data protection requirements such as KVKK, encryption alone is not a compliance guarantee, but it is an important risk-reducing technical measure. Access control, logging, data masking, and separation of encryption keys should be designed together.
Related Terms
KVKK is Turkey's Personal Data Protection Law, setting legal duties for how organizations process, store, and transfer personal data.
EncryptionEncryption turns readable data into a cryptographic form that only authorized parties can decrypt using the right key and algorithm.
SSL/TLS (Secure Sockets Layer / Transport Layer Security)SSL/TLS is the protocol family that provides identity checks, key agreement, and encrypted data transfer between clients and servers.