GrapheneDB provides an _Encryption at rest_ feature on all Performance and Enterprise databases provisioned after December 1st, 2017.
The feature is fully transparent to the user, and at the same time it implements encryption for the following types of data:
Data at rest inside the disk volume
All data moving between the disk volume and the server instance
All backups created from the volume
Disk volume and backups are encrypted using the industry standard AES-256 algorithm, which meets a comprehensive range of compliance standards, such as HIPAA, PCI and NIST. Backups are decrypted on the fly when downloaded by the user, when used internally to provision new servers,or when performing database restores.
## Feature availability
|Tier||Encryption at rest (disk volume and backups)|
|Performance||Yes, free of charge.|
|Enterprise||Yes, free of charge.|
The encryption at rest feature is enabled in all newly provisioned Performance and Enterprise databases. Any existing databases will remain unencrypted.
## Creating a new database with encryption at rest
When creating a new database, encryption at rest will be enabled automatically if it is supported by the plan (Performance and Enterprise only).
You can verify if encryption at rest is enabled for any database by looking at the database overview page on the GrapheneDB dashboard. If it is is enabled, you will see an “Encryption at rest enabled” badge on the database overview page.
In addition, you can also check if encryption at rest is enabled for your database backups by looking in the _Backups_ section of the Dashboard UI.
## Enabling encryption at rest for an existing database
Encryption at rest is automatically enabled at provisioning time for new databases after December 1st, 2017, and if the database plan supports the feature (Performance and Enterprise only).
If you want to enable encryption at rest for a database that does not support this feature, such as databases created prior to December 1st, 2017, or in the Hobby plan, you will need to clone your existing database into a new Performance or Enterprise database first.
From the Dashboard UI, open the [Clone database](🔗) page
Select the origin database
Make sure to use the _“Clone by exporting selected database”_ option, so that no data is lost
Make sure to select a plan that supports Encryption at rest (Performance, Enterprise)
Finish the process by clicking on the _“Clone database”_ button
The origin database is left unchanged and **will not be encrypted**. You will need to point your application to the new database. If you want to avoid having your data stored without encryption, **remember to delete the origin database once you have completed the migration**.