ADR-096 is an architecture decision record that establishes encryption-at-rest protocols for securing persistent data in systems handling sensitive information. This decision record outlines a phased implementation approach for encrypting data stored on disk and in persistent memory layers, representing a critical component of modern data security infrastructure.
Encryption at rest refers to the cryptographic protection of data in its stored state, as distinguished from encryption in transit or data being actively processed. ADR-096 specifically addresses the implementation of encryption mechanisms for persistent memory and session data storage, ensuring that unauthorized access to physical storage media does not compromise sensitive information 1).
The decision record serves as a formal architectural specification for development teams implementing encryption standards across a distributed system. Unlike ad-hoc security measures, architecture decision records provide documented rationale, implementation constraints, and testing requirements that ensure consistent security posture across multiple service components and deployment environments.
ADR-096 specifies a four-phase implementation strategy that sequences the deployment of encryption capabilities across system components. This phased approach allows for incremental rollout while maintaining system stability and providing opportunities for validation at each stage.
The implementation encompasses 76 new test cases designed to verify encryption functionality, key management operations, performance characteristics, and failure recovery scenarios. These tests cover both unit-level cryptographic operations and integration-level workflows where encrypted data persists through multiple system layers 2).
Typical encryption-at-rest implementations involve several key components: selection of encryption algorithms (commonly AES-256 for symmetric encryption), key derivation and management infrastructure, integration with existing storage systems, and monitoring of encryption overhead and performance impact. The phased approach allows teams to address performance optimization in later phases after foundational encryption capabilities are operational.
ADR-096 ships across versions 3.6.28 through 3.6.30 as part of an active remediation cycle. This release window indicates a deliberate security improvement initiative rather than reactive patching, allowing customers to plan upgrades accordingly. The multi-version rollout suggests that encryption capabilities may be introduced progressively, with dependencies between versions managed through compatibility guarantees.
Active remediation cycles typically prioritize security enhancements that address architectural gaps or emerging threat patterns identified through threat modeling exercises or security assessments. The decision to implement encryption at rest suggests organizational recognition that persistent data protection represents a material security requirement for the system's threat model 3).
Implementation of encryption at rest introduces several technical considerations that architecture decision records must address. Key management strategies determine whether encryption keys are stored locally, in external key management services, or through hardware security modules. The choice of key management approach affects operational complexity, performance characteristics, and disaster recovery capabilities.
Performance implications of encryption at rest vary based on storage backend characteristics. Solid-state drives may exhibit different encryption overhead profiles compared to rotational disk systems. The test suite's inclusion of 76 distinct test cases suggests comprehensive coverage of both happy-path encryption operations and edge cases including key rotation, partial encryption of legacy data, and recovery scenarios.
Session data encryption adds particular complexity because session lookups typically operate in performance-sensitive code paths. Encryption strategies for session stores may employ techniques such as deterministic encryption for session identifiers (enabling database indexing) while using standard authenticated encryption for session payloads 4).
Encryption at rest provides protection against several threat categories: physical theft of storage media, unauthorized filesystem access through misconfigured permissions, and scenarios where storage is decommissioned without proper sanitization. However, encryption at rest does not protect against runtime memory disclosure, where encrypted data becomes plaintext during active processing.
The inclusion of encryption at rest in a formal architecture decision record indicates organizational commitment to layered security controls, recognizing that no single mitigation addresses all threat vectors. Additional controls such as access logging, encryption key auditing, and secure key deletion remain necessary complementary measures 5).