What is Encryption at Rest?

Turkish: Bekleyen Veri Şifreleme (Encryption at Rest)

Encryption at rest protects data stored on disks, databases, or backups with keys, reducing exposure from unauthorized access.

What is Encryption at Rest?

Encryption at rest means keeping data encrypted when it is not actively moving over a network. Files on disk, database tables, object storage items, backups, and archives all fall into this category. The goal is to make data unreadable if storage media or an unauthorized account is compromised.

This is different from SSL/TLS, which protects data in transit. TLS protects data while it moves; encryption at rest protects data where it is stored. In practice, disk encryption, database encryption, field-level encryption, and backup encryption may be used together at different layers.

Key Management

The security of encryption depends heavily on key management. Keys should not be hardcoded in application code; they should be stored in controlled systems such as KMS or HSM services, audited when accessed, and rotated through a defined process. Some designs separate data keys from master keys, a pattern known as envelope encryption.

Under data protection requirements such as KVKK, encryption alone is not a compliance guarantee, but it is an important risk-reducing technical measure. Access control, logging, data masking, and separation of encryption keys should be designed together.