Cryptographic protection of personal data while stored in databases, file systems, or backup media.
Encryption at rest protects stored personal data by rendering it unreadable without the correct decryption key. This applies to all storage media: databases, file systems, object storage, backups, and removable devices. Under DPDPA Rule 6(1)(a), Data Fiduciaries must implement reasonable security safeguards including encryption of personal data. Industry standards include AES-256 for symmetric encryption. Key management — rotation, access control, and secure storage — is equally critical.
If your database is breached but data is properly encrypted at rest, the impact is significantly reduced — the attacker gets ciphertext, not usable personal data. This can be the difference between a minor incident and a catastrophic breach with Rs 250 crore penalty exposure.
A Pune healthtech company encrypts its PostgreSQL database using AES-256 Transparent Data Encryption, stores encryption keys in AWS KMS with 90-day rotation, and encrypts all S3 backup buckets with separate keys. Even if a backup tape is physically stolen, patient data remains protected.
Database-level encryption alone is not sufficient if application credentials are compromised. Proper encryption at rest requires key management separation — the application that queries data should not have access to raw encryption keys.
DPDPA Shield automates Compliance Dashboard. See how →