To satisfy data-at-rest encryption requirements for a database, which option BEST satisfies the requirement?

• A. Install an SSL certificate and only allow secure connections to the server
• B. Enable two-factor authentication on connections to the database server and log activities
• C. Activate memory encryption on the virtual server and store the certificates remotely
• D. Create a virtual encrypted disk, add it to the virtual server, and have the database write to it

Answer: (A)

Data-at-rest encryption protects data that is stored on disk, not the data as it travels or while it’s loaded into memory. Using an SSL certificate and requiring secure connections protects data in transit between clients and the database, so it does not satisfy encryption of stored data on disk. Encrypting data only in memory covers data during processing, but once written to storage it remains unencrypted unless the storage itself is encrypted. By creating a virtual encrypted disk and configuring the database to write data files to that disk, the actual stored data is encrypted on disk, meeting the data-at-rest requirement. Options that focus on remote storage of certificates or on memory protection do not provide the same protection for data at rest.