What is Encryption at Rest?

TL;DR: Encryption at rest is the encryption of data while it is stored on disk, as opposed to encryption in transit (during transmission). It protects data from unauthorized access if physical storage media is compromised. AES-256 is the industry standard algorithm.

Encryption at Rest for SaaS Applications

Encryption at rest is a baseline security requirement for any SaaS application handling sensitive data. It ensures that even if an attacker gains access to the underlying storage infrastructure, the data remains unreadable without the encryption keys.

Encryption Algorithms

AlgorithmKey SizeUse Case

|-----------|----------|----------|

AES-256-GCM	256-bit	Industry standard, authenticated encryption
ChaCha20-Poly1305	256-bit	Mobile/embedded, software-optimized

AES-256-GCM (Galois/Counter Mode) is preferred because it provides both confidentiality and authenticity in a single operation.

Field-Level vs. Volume-Level Encryption

Volume-level — Entire disk encrypted (e.g., AWS EBS encryption). Protects against physical theft.

Field-level — Individual data fields encrypted before storage. Protects against application-level breaches, database dumps, and insider threats.

Field-level encryption is stronger because even database administrators cannot read the encrypted fields.

How Trailbase Encrypts Data

Trailbase uses AES-256-GCM field-level encryption for sensitive audit log fields. Encryption keys are managed separately from data storage. This means even if the database is compromised, sensitive event metadata remains encrypted and unreadable.

Implement Encryption at Rest with Trailbase

Deploy enterprise-grade audit logging and compliance automation in five minutes.

Get Early Access Read the Docs