Data at rest is any information kept in permanent storage, like databases or cloud backups. While security often focuses on data moving across networks, protecting stored information is critical to preventing data theft. High-standard protection ensures that even if storage hardware or cloud accounts are compromised, the information remains unreadable and useless to unauthorized parties.
Key takeaways
- Data at rest refers to data that’s not currently in use, such as data stored on disk, in databases, or in cloud storage.
- Because stored data is a valuable target for malicious attacks, insider threats, and human error, protecting data at rest is foundational to modern data protection strategies.
- Data-at-rest encryption uses encryption keys and other methods—such as full disk encryption, transparent data encryption, and field-level encryption—to prevent unauthorized parties from reading stored data.
- A complete security strategy must protect data across all three states: data at rest, data in transit, and data in use.
- MongoDB supports encryption in all three states, as well as advanced client-side queryable encryption, enabling organizations to encrypt data while preserving the ability to securely query sensitive data without exposing plaintext.
Table of contents
- Securing stored data: Why it matters
- Why data at rest is a high-value target
- What is data at rest encryption?
- Best practices for protecting data at rest
- Common challenges in protecting data at rest
- Securing data at rest in MongoDB
- Search encrypted data without unlocking it
- Build durable protection with encryption that works across every data state
- FAQs
- Related resources
Securing stored data: Why it matters
Data at rest refers to digital data that’s stored on a physical or virtual medium and is not actively moving across a network or being processed by an application. It includes:
- Files on a hard disk.
- Records in a database.
- Backups in cloud storage.
- Archive log files.
- Snapshots stored in a cloud environment.
In short, if data resides in one location, and is not actively moving through communication channels or being modified in memory, it’s considered data at rest.
This category of stored data often includes sensitive information, such as:
- Customer records, which may include PHI or PII.
- Intellectual property.
- Financial data.
- Regulated data sets.
Because it’s centralized and persistent, it becomes a valuable target for malicious attacks, insider threats, physical theft, and human error. Protecting data at rest therefore, is a foundational element of any modern data protection strategy.
Why data at rest is a high-value target
Data at rest is frequently more valuable than data in transit. Attackers who gain direct access to stored data can exfiltrate entire databases, compromised systems, or steal sensitive data in bulk.
Common risks include:
- Data breaches resulting from unauthorized parties gaining access.
- Physical theft of mobile devices or hard disks.
- Misconfigured cloud storage or file hosting services.
- Insider threats with direct access privileges.
- Compromised backup systems.
- Weak access control or password protection.
For this reason, encryption plays a central role in securing stored data.
What is data at rest encryption?
Data at rest encryption is the process of encrypting data stored on a disk so it cannot be read without proper authorization and encryption keys.
Encryption transforms data stored in digital form into unreadable cipher text. Even if an attacker steals data from a database or cloud storage environment, the encrypted data remains unusable without access to the appropriate keys. Common encryption methods include:
- Full-disk encryption.
- Hard disk encryption.
- Transparent data encryption (TDE).
- Application-level encryption.
- Field-level encryption.
Each encryption approach protects data stored in different ways and in different layers of the stack. For example:
- Disk encryption protects entire storage volumes.
- Transparent data encryption protects database files.
- Application or field-level encryption encrypts specific data fields before they are written to storage.
Choosing the right method depends on your risk profile, compliance requirements, and operational architecture.
How data at rest fits into the three data states
Modern enterprises typically classify data into three states:
- Data at rest (discussed here)
- Data in transit
- Data in use
Data in transit refers to data actively moving across communication channels. Data in use refers to data being processed in memory.
Data at rest refers specifically to inactive data stored on disk, in cloud backups, or in databases. Each state requires different security measures. Encrypting data in transit with TLS does not automatically protect stored data. Similarly, encrypting disk storage does not protect data actively moving through a private network.
A comprehensive data protection strategy must address all three states. Data at rest encryption is one essential layer within that broader framework.
Best practices for protecting data at rest
Protecting data at rest requires more than enabling a single encryption setting. Effective data protection includes:
- Strong encryption algorithms.
- Secure encryption key management.
- Strict access control policies.
- Data classification to identify sensitive data.
- Data loss prevention strategies.
- Monitoring and logging access data.
Key management is particularly critical. Encryption keys must be stored securely, rotated regularly, and protected from unauthorized access. If encryption keys are compromised, encrypted data becomes vulnerable.
In cloud environments, organizations often integrate with external key management services to maintain control over encryption keys.
Common challenges in protecting data at rest
Organizations often face practical challenges when implementing encryption, such as:
- Performance concerns.
- Key management complexity.
- Application refactoring.
- Compliance audits.
- Integration with existing security measures.
Modern platforms must balance performance, security, and developer experience. Encryption must be strong enough to protect data, yet flexible enough to support real-world use cases.
Securing data at rest in MongoDB
MongoDB provides multiple layers of encryption and security to protect data at rest.
At the infrastructure level, MongoDB Atlas supports encryption at rest using strong encryption standards. It integrates with the following customer key management providers when configuring encryption at rest for a MongoDB Atlas project:
- Amazon Web Services Key Management Service
- Azure Key Vault
- Google Cloud Platform Key Management Service
Learn more about MongoDB encryption capabilities.
For organizations requiring deeper control, MongoDB Atlas supports KMS integrations.
Search encrypted data without unlocking it
MongoDB queryable encryption addresses one of the hardest challenges in data security. How do you encrypt sensitive data and still query it? Queryable encryption allows sensitive data to remain encrypted—not only at rest, but also in transit and in use, while still supporting expressive queries. This capability is built directly into MongoDB. It is not a bolt-on solution. It is available without additional licensing fees.
With queryable encryption, encryption occurs client-side. The server never sees plaintext data. Applications can encrypt data fields before writing them, and still perform equality, range, and search queries on encrypted data. This architecture significantly reduces the attack surface and protects sensitive information from unauthorized parties, even if infrastructure is compromised.
Build durable protection with encryption that works across every data state
Modern data protection strategies increasingly require protection across all data states. MongoDB’s encryption architecture, including queryable encryption, delivers built-in, client-side protection that secures data at rest while preserving application functionality. This reduces the attack surface and protects sensitive information even if the underlying infrastructure is compromised.
For organizations handling sensitive data, protecting data at rest is not optional. It is foundational to secure data management in a cloud-first world.