| ▲ | stavros 2 hours ago |
| Does encryption at rest actually do much? The percentage of attacks that were perpetrated by people getting physical access to a drive must approach zero. |
|
| ▲ | nicce 2 hours ago | parent | next [-] |
| Depends on what kind of data is in question. Backups and old incremential data can stay encrypted while disks are otherwise in use. |
| |
| ▲ | stavros 2 hours ago | parent [-] | | Hm yeah, I always think of encryption at rest as "the drive handles encryption itself", rather than "we encrypted these archives before we wrote them", but fair enough. | | |
| ▲ | literalAardvark 2 hours ago | parent [-] | | Not necessarily the drive, but yeah, where standards mandate encryption at rest you need to have the files on the live disk encrypted. Usually it's much less of a headache to luks/bitlocker/SED the whole drive so that you don't have to worry about swap files and logs |
|
|
|
| ▲ | alternatex 2 hours ago | parent | prev | next [-] |
| I think it's also meant to protect from potential mistakes in handling of hard disk decommissioning which presumably is a common thing with data centers. |
| |
| ▲ | SoftTalker an hour ago | parent [-] | | Used to be, but e.g. where I work any decommissioned drive has to be DBANed (if it's spinning platters) or secure-erased (SSDs). If it can't be for some reason (e.g. it has failed) it needs to be physically destroyed. I would hope most data centers have similar policies in 2026, but that may be optimistic I guess. |
|
|
| ▲ | dmkolobov 2 hours ago | parent | prev [-] |
| Unless the attacker is law enforcement. |
| |
| ▲ | stavros 2 hours ago | parent [-] | | Law enforcement will just get you to give them the keys. | | |
| ▲ | dmantis an hour ago | parent [-] | | Law enforcement of another jurisdiction won't, but can try to snoop into the data. |
|
|
