Database Encryption at Rest
This section covers Aptible's default managed encryption. For more information about encryption using AWS Key Management Service, see Custom Database Encryption.
Aptible automatically and transparently encrypts data at rest.
Database encryption uses eCryptfs, and the algorithm used is either AES-192 or AES-256.
📘 You can determine whether your Database uses AES-192 or AES-256 for disk encryption through the Dashboard. New Databases will automatically use AES-256.
Aptible encrypts your data at the disk level. This means that to rotate the key used to encrypt your data, all data needs to be rewritten on disk using a new key. If you're not using Custom Database Encryption, you can do so by dumping the data from your database, then writing it to a new database, which will use a different key.
However, rotating keys this way will inevitably cause downtime while you dump and restore your data. This may take a long time if you have a lot of data.
Therefore, if you must conform to a strict key rotation schedule, we recommend implementing Application-Level Encryption.