What is encryption at rest?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Encryption at rest means your emails are encrypted while stored on a server's hard drive. If someone breaks into the data center, steals a backup drive, or gets unauthorized access to the filesystem, the stored messages remain unreadable without the decryption keys.

Most ESPs implement this at the database or filesystem level. Amazon SES, Microsoft 365, Google Workspace, and others use encryption at rest to protect your stored messages and archives. The encryption happens automatically in the background. You don't configure it yourself.

Here's the important part: encryption at rest is NOT the same as end-to-end encryption. With encryption at rest, the ESP holds the decryption keys. They can read your messages whenever they want (to scan for spam, process a support ticket, or comply with a court order). The encryption protects against physical theft of hardware, not against the ESP itself.

If you need true confidentiality where the ESP can't read your messages, you want PGP or S/MIME. With those, you encrypt the message before it reaches the ESP's servers. But for most senders, encryption at rest is enough. It protects against data breaches from stolen hardware without requiring your recipients to install special software.

Why this matters: if you're in healthcare (HIPAA), finance (PCI-DSS), or the EU (GDPR), encryption at rest is often required for stored data. Most major ESPs already do this by default, but it's worth confirming if you're sending sensitive information. Check your ESP's security documentation or ask their support team directly.

Encryption at rest works alongside encryption in transit (which protects messages while traveling between servers). Together, they protect your emails at two different points in the lifecycle. At rest protects stored data. In transit protects moving data.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get help with your encryption setup

I read this on the Email Almanac about "What is encryption at rest": "Encryption at rest means your emails are encrypted while stored on a server's hard drive. Most ESPs implement this at the database or filesystem level. The encryption happens automatically in the background. The important part: encryption at rest is NOT the same as end-to-end encryption. With encryption at rest, the ESP holds the decryption keys. They can read your messages whenever they want. The encryption protects against physical theft of hardware, not against the ESP itself." Help me understand how this applies to MY specific situation: 1. ESP security check: Based on my ESP and sending setup, what should I verify about encryption at rest? Are there specific security certifications or documentation I should review? 2. Compliance requirements: Given my industry and the type of data I send (healthcare, finance, customer data, etc.), do I need encryption at rest, or do I need end-to-end encryption instead? 3. Migration concerns: If I'm switching ESPs, what questions should I ask about their encryption at rest implementation? What happens to my archived messages? 4. Next-level security: If encryption at rest isn't enough for my use case, what's the practical path to implementing PGP or S/MIME? What are the trade-offs? --- My details (the more you share, the better the advice): - Email platform/ESP: e.g. Mailchimp, AWS SES, Microsoft 365, Google Workspace - Industry/compliance needs: healthcare, finance, general business, government - Type of data sent: [receipts, password resets, patient communications, financial statements] - Current concern: [switching ESPs, compliance audit, security review, data breach in the news] - Experience level: beginner / intermediate / advanced

Edit the yellow boxes, then send to the AI of your choice.