Encryption at rest
Scrambling stored files on the provider’s servers so they stay unreadable without the decryption keys.
Encryption at rest is the practice of storing your documents on a data room provider’s servers in scrambled form, so that the raw files sitting on disk, in a database, or in backup snapshots are meaningless to anyone without the decryption keys. It protects data when it is idle, not while it moves. If an attacker walked out of a data center with a hard drive, or a rogue employee copied a storage volume, encryption at rest is what turns that stolen data into unreadable noise instead of a folder of confidential contracts. In a virtual data room, where you upload the most sensitive records a company owns, it is the baseline expectation, and the algorithm, key length, and key management behind it are what separate a marketing checkbox from real protection.
How does encryption at rest work in a data room?
When you upload a file, the data room’s storage layer encrypts it before writing it to disk, almost always with the Advanced Encryption Standard using 256-bit keys, known as AES-256. The readable file only ever exists in memory during an authorized session; on the physical media it lives as ciphertext. Two questions decide how strong that really is: what encrypts the data, and who holds the keys.
Most providers use a layered key model. Each file or block is locked with a data encryption key, and those keys are themselves locked with a master key held in a hardware security module or a managed key service. Rotating the master key re-protects everything beneath it without touching the underlying files. This pairs with encryption in transit, which guards the same data with TLS while it travels between your browser and the server. Rest and transit together close the two obvious gaps; a room that encrypts one but not the other leaves a door open.
Why does encryption at rest matter for M&A and due diligence?
In a merger, acquisition, or fundraising round, the files you place in the room, financial models, customer contracts, cap tables, employee records, are exactly the assets a data breach headline is made of. Encryption at rest is the control that keeps a server-side compromise from becoming a disclosure of your deal. It also underpins the compliance story buyers will probe during due diligence: AES-256 at rest is a stated requirement or expectation across GDPR-aligned practice, SOC 2, and ISO 27001, so an independently audited certification is your proof that the encryption claim is real rather than aspirational. For the most sensitive rooms, teams look for zero-knowledge encryption, where the provider itself cannot read your files because it never holds the usable keys.
A concrete example
A biotech firm raising a Series C uploads its trial data and patent filings to a data room. Months later, the provider’s cloud host discloses that an old backup volume was exposed. Because every file on that volume was AES-256 encrypted at rest and the keys lived in a separate managed vault the attacker never reached, the exposed data was ciphertext with no usable key alongside it. The firm’s counsel confirms nothing readable left the environment, and the raise proceeds. Without encryption at rest, the same event would have meant handing competitors a copy of the crown jewels.
How should you evaluate encryption at rest?
The word “encrypted” on a feature page tells you little. Ask sharper questions.
| Question | Weak answer | Strong answer |
|---|---|---|
| Algorithm | ”Bank-grade”, unspecified | AES-256, stated |
| Key custody | Provider holds all keys, unclear | HSM-backed vault, optional customer-managed keys |
| Key rotation | Never, or on request only | Automated, scheduled rotation |
| Scope | Live files only | Files, metadata, and backups |
| Proof | Self-declared | SOC 2 and ISO 27001 audited |
The common mistakes are treating encryption at rest as a yes or no line item, ignoring who controls the keys, and forgetting that backups need the same protection as live data. For the full picture, see our guide to virtual data room security and the practical VDR security features checklist. When encryption specifics decide your shortlist, our side-by-side comparisons and hands-on provider reviews record exactly what each vendor implements.
FAQ
Is encryption at rest the same as encryption in transit? No. Encryption at rest protects stored, idle files on the provider’s disks and backups. Encryption in transit protects the same data with TLS while it moves over the network. A secure data room needs both; each closes a gap the other leaves open.
Does encryption at rest stop the provider from reading my files? Not by itself. If the provider holds the keys, its staff or systems can decrypt your data when needed. Only a zero-knowledge encryption model, where you control keys the provider never possesses, prevents the provider from reading your documents.
What encryption standard should a data room use at rest? AES-256 is the accepted benchmark and the level cited across ISO 27001 and SOC 2 aligned practice. If a provider will not state the algorithm and key length in writing, treat that vagueness as a red flag rather than a reassurance.