Data-at-rest Encryption with Fortanix SDKMS

Data-at-rest encryption relates to a number of encryption methods, applied to different types of data stored across the IT stack in an enterprise environment. Three broad categories can be used to explain data-at-rest encryption corresponding to different levels or layers where the encryption is performed, and where the keys and data are stored:

  • Transparent Data Encryption (TDE)
  • Application-level encryption
  • Storage encryption (e.g. data-warehouses and data-lakes, unstructured data of all sorts)

request a demo

Key differences between data-at-rest encryption methods

TDE Application-level encryption Storage (unstructured data) encryption
Database-only encryption Any data encryption Any data encryption, including disk and partitions
Data is encrypted and decrypted on the database (e.g. server-side), hence when sent out, it’s decrypted Data is encrypted and decrypted on the application (e.g. client-side), hence when sent out of the database, it’s encrypted Data is encrypted and decrypted in the storage layer, decrypted when pulled out
Encryption keys are managed by the database Encryption keys are managed by the application Encryption keys are managed in the storage layer
Can encrypt/decrypt columns, table or entire database Can encrypt/decrypt columns, table or entire database Cannot encrypt/decrypt table or column
Doesn’t require any change to the applications authorized to access/query the database Requires change to applications for encrypt/decrypt and access controls. This is app specific, manual, and time consuming. Doesn’t require any change to the applications authorized to access/query the database
Utilizes common encryption protocols (e.g. PKCS#11, KMIP) Utilizes REST APIs and if applicable common encryption protocols (e.g. PKCS#11, CNG, JCE) Utilizes common encryption protocol (KMIP) and if applicable REST APIs

The table below summarizes where each encryption method applies.

Encryption Level TDE App-Level Encryption (incl. tokenization) Unstructured Data Encryption (EDW)
User space
File / Database
OS Level
File System
HW / Sub-OS level


The stored data in databases and data-warehouses need to be encrypted at all times, yet securely accessible upon demand.
However, when the volume of data and their distribution grows, and the varied use-cases and applications that need to access that data also multiply, existing and legacy solutions fail:

  1. Their performance is limited
  2. They cannot cluster nor scale well to adapt to clustered databases or geographically distributed data-stores
  3. They are broken to disparate standalone solutions, further complicating the challenge, as typically more than one solution is required (e.g. TDE and tokenization).

The complexity and lack of adequate scalable solutions leads to a situation where the encryption keys are typically stored in software only stores — a clear security risk.

SDKMS changes that status-quo

Fortanix SDKMS provides next-generation solution encompassing all the needs of data encryption, in a single, easy to use solution and with minimal TCO. SDKMS was designed to serve the needs of modern, distributed, agile and hybrid IT environments.

All three encryption methods (and more) are delivered using one centrally managed solution. No specific-use-case clients (e.g. file encryption, TDE, app encryption) are required. SDKMS removes the OS and application dependency (and complexity) by using REST APIs and standard cryptographic interfaces. All of our APIs and cryptographic interfaces are provided free of charge, for any number of users or applications.

Delivered as a service in a number of deployment and provisioning models, SDKMS can easily adapt to any requirement and any deployment scenario.

SDKMS features strict role-based-access-control and segregation of users and roles allowing customers to be confident with the security and privacy of their data in any hosted environment, while enabling compliance with regulations, such as, GDPR.

Fortanix’ core design principle is simplicity. Above all, simplicity means better security.

Structured and Unstructured Data Encryption diagram