Data storage encryption – Part 1: fundamentals and why it is indispensable

Part 1 of 3 – Fundamentals

Data is now one of the main assets of any organisation. Customer information, financial records, intellectual property, audit logs and even internal reports can represent a major risk if exposed. Ransomware attacks, large-scale data breaches and corporate espionage clearly show the damage that unprotected storage can cause.

In this context, data storage encryption stops being just an “advanced” technical feature and becomes part of the business strategy. It protects information even when someone gains unauthorised access to disks, backups or snapshots.

This is Part 1 of a three-part series where we will dive into:

• Why encryption for data at rest is so important;
• The basic concepts you need to master;
• Where it fits in your IT architecture;
• How it connects to compliance (LGPD, GDPR) in the upcoming parts.

1. Why talk about encryption for data storage?

When we talk about information security, many people immediately think of firewalls, antivirus or strong passwords. All of that matters, but it does not solve a central problem: what happens if someone manages to copy your database, a server disk or an old backup?

Without encryption, anyone who gets hold of those files can read everything: personal data, trade secrets, credentials, sensitive reports. With properly implemented encryption, the scenario changes: even if someone has physical or logical access to the files, the content remains unreadable without the correct keys.

In short, encrypting data at rest is a way to:

• Reduce the impact of security incidents;
• Protect the reputation and trust of customers and partners;
• Demonstrate due diligence in audits and regulatory processes (such as LGPD and GDPR);
• Complement other protection layers (perimeter, identity, monitoring).

2. Basic concepts: what is encryption, really?

Encryption is the process of transforming readable data (plaintext) into unreadable data (ciphertext) using an algorithm and a key. Only those who have the correct key (or a secret derived from it) can reverse this process and get back to the original text.

It is directly connected to the well-known information security triad (CIA):

• Confidentiality: prevents unauthorised people from reading the content;
• Integrity: helps detect unauthorised changes, via MACs, HMACs or digital signatures;
• Availability: when well designed, it should not block legitimate use of data or cause excessive performance impact.

In this first article, we focus on data at rest, that is, when information is stored in:

• Disks (HDD, SSD, virtual machine volumes);
• Databases (SQL, NoSQL, data warehouses);
• Local files and network file shares;
• Cloud storage (buckets, blobs, objects);
• Backups and snapshots.

It is important to distinguish this from encryption in transit (data in transit), such as HTTPS/TLS between browser and server. Both are complementary: protecting only the traffic does not solve the problem if someone copies where the data is stored.

3. Main types of encryption: symmetric vs asymmetric

Before talking about practical use in storage, it is worth separating two major groups of encryption used in everyday scenarios:

3.1 Symmetric encryption

In symmetric encryption, the same key is used to encrypt and decrypt data. It is like a padlock where the same key is used to lock and unlock.

Some widely used algorithms today:

• AES (Advanced Encryption Standard) – market standard, with secure variants such as AES-256 in modern modes of operation (for example, GCM);
• ChaCha20 – an efficient alternative in specific scenarios, especially on devices with less hardware acceleration support.

Main characteristics:

• High performance: ideal for encrypting large volumes of data (full disks, databases, files and backups);
• Lower computational cost than asymmetric encryption.

The main challenge is key management: how to store, distribute and rotate the key securely.

3.2 Asymmetric encryption

In asymmetric encryption, we work with a key pair:

• A public key, which can be shared;
• A private key, which must be kept strictly secret.

What is encrypted with the public key can only be decrypted with the private key, and vice versa. This enables:

• Secure exchange of secrets (such as symmetric keys);
• Digitally signing data, ensuring authenticity and non-repudiation.

Common algorithms include:

• RSA;
• ECC (Elliptic Curve Cryptography), such as Curve25519 or P-256.

Asymmetric encryption is more computationally expensive, so it is used strategically, usually to protect keys or create signatures, rather than encrypting large data volumes directly.

4. Where does encryption fit in data storage?

In modern IT environments, encryption appears at several layers. Some examples:

4.1 Full disk encryption

In this model, the entire volume (HDD, SSD, cloud volume) is encrypted. Systems such as LUKS/dm-crypt on Linux, BitLocker on Windows and native volume encryption in public clouds follow this principle.

Benefit: if someone copies the physical disk or a raw snapshot, they cannot read the data without the key. Limitation: when the system is running and the volume is mounted, the content is accessible to whoever has access to the server.

4.2 Database encryption

Here, protection may appear in several forms:

• Transparent Data Encryption (TDE): the database encrypts what it writes to disk, in a way that is relatively transparent to the application;
• Column/field-level encryption: only sensitive fields (such as ID numbers, card numbers, email addresses, phone numbers) are encrypted by the application before they are stored.

In the first case, implementation tends to be simpler. In the second, it is possible to be more granular, but planning must consider search, sorting and indexing.

4.3 Encryption for files, objects and backups

In addition to disks and databases, it is essential to protect:

• Files on application servers and file servers;
• Objects stored in the cloud (buckets, blobs);
• Local and remote backups – often the weakest link in the chain.

In practice, it is common to use symmetric encryption for this data and, as we will see in Part 2, asymmetric encryption or specialised services to protect the keys.

5. What comes next?

In this first part, we have seen the context, the basic concepts and where encryption fits into the data storage architecture.

In Part 2 of this series, we will go deeper into the practical use of symmetric and asymmetric encryption for data at rest, with examples and strategies to apply these concepts in your organisation’s daily routine.