Hacker News new | past | comments | ask | show | jobs | submit
stavros | on: Oura says it gets government demands for user data
Does encryption at rest actually do much? The percentage of attacks that were perpetrated by people getting physical access to a drive must approach zero.
zoogeny | parent | next
It generally has to do with risk models, especially in single tenant environments.

What I mean is, say I am a b2b service provider and I have a single database for some subset of my clients. That is, multiple clients data are held in the same database. There are many ways to do this but one way I have see is BYOK (Bring Your Own Key). You can have your clients give you secure access to a public/private key pair (e.g. through AWS secrets manager). Then you encrypt anything that gets written into the database using their key.

This means that if there is some security hole in your software that accidentally allows data to be exfiltrated from your servers (e.g. one malicious client sends API requests that allow for a query of data from another target client), the data the API returns will be encrypted using the target clients public/private key.

My own experience with security is that nothing is perfect and good security is like an onion. Encryption at rest isn't perfect and won't handle every possible malicious attack, but it is a layer in the broader strategy. The attacker has to both find a way to exfiltrate the data and trick the server into revealing the shared key. The idea being it is harder to do both than it may be to do either individually.

nicce | parent | next
Depends on what kind of data is in question. Backups and old incremential data can stay encrypted while disks are otherwise in use.
loading story #48249301
alternatex | parent | next
I think it's also meant to protect from potential mistakes in handling of hard disk decommissioning which presumably is a common thing with data centers.
loading story #48249718
dmkolobov | parent
Unless the attacker is law enforcement.
loading story #48249605