How do you protect sensitive data even when your storage devices fall into the wrong hands? This question has plagued database administrators and security experts alike. Encryption at rest mitigates these threats. Let's dive in and see how it all works. In this video, we'll explore what encryption at rest is, the benefits it brings to data protection, and how MongoDB implements it. Before we dive in, let's take a moment to define what encryption at rest is. First, what do we mean by at rest? Data at rest refers to data that has been written to a storage disk. Encryption at rest is the act of protecting all data that has been written to disk from unauthorized access. Both Atlas and MongoDB Enterprise Advanced support this type of encryption. But why do we need to encrypt the data on disk if we have other security practices in place? Good question. Encryption at rest is one of our best defenses against data breaches and or unauthorized access to our data. Without the right keys, the people who gained access to our data will not be able to read the data. Encryption at Rest also provides the added benefits of maintaining data confidentiality, ensuring compliance with key regulatory standards, and offering the peace of mind that your sensitive information is securely protected. Not only that, but it signifies to your users that you are committed to keeping their data protected, fostering trust between you and your users. Let's talk about some of the most common strategies for encryption at rest. Full volume or full disk encryption protects the entire storage disk on the database server safeguarding against physical security threats. However, it's important to note that when the volume is mounted and running, privileged users with access to the server may be able to access the database files. Database level encryption secures all data within the database environment itself using the database management system's built in capabilities for enhanced security. This level of encryption is effective against privileged users with access to the servers. Implementing multiple types of encryption can increase system complexity and require a variety of tools. Careful consideration is essential to avoid operational intricacies. Now let's shift our attention to how encryption at rest works in MongoDB. MongoDB has native support for encryption at rest directly through its WiredTiger storage engine. This feature allows it to encrypt data files such that only parties with the decryption key can read data. To securely encrypt your data on disk, MongoDB uses both a master key and a data encryption key, which is often abbreviated to DEK. The master key is used to encrypt and decrypt the data encryption keys. The master key is stored separately from your database and data encryption keys using a key management service that communicates through the key management interoperability protocol. A key management service or KMS is like a secure digital vault that creates, stores, and manages the cryptographic keys. The key management interoperability protocol or KMIP is an open standard that allows a KMS to communicate securely with various systems and applications for cryptographic operations. This standardized protocol simplifies and unifies the management of encryption keys throughout their entire life cycle. By using a KMIP compliant KMS, organizations can use different software vendors and platforms while maintaining consistent, secure key management practices across their entire infrastructure. The data encryption key or DEK, on the other hand, is stored locally on the MongoDB server and is encrypted using the master key. DEKs are used to encrypt and decrypt the data on the storage disk. Even if someone gains unauthorized access to our data, they still cannot decrypt it without the master key. Now that you understand how encryption at rest is used with MongoDB, let's quickly discuss the differences between Atlas and self managed deployments. Atlas uses full disk encryption by default. As an additional security layer, you can enable storage engine level encryption by bringing your own keys. If you decide to leave and take your key with you, no one will be able to read the data unless the master key is returned. For MongoDB enterprise advanced deployments, MongoDB creates and manages the data encryption keys while you'll need to generate and maintain the master key. As you can see, encryption at rest is an essential tool to protect your data from breaches and unauthorized access. Let's take a moment to recap what we learned in this video. First, we learned that encryption at rest is the process of encrypting data that has been written to the storage disk. We also learned that both MongoDB Atlas and Enterprise Advanced support encryption at rest. Finally, we explored how MongoDB uses a master key and data encryption keys to encrypt the data stored on disk.