Encryption at rest protects data while it’s stored on disk: databases, uploaded files, backups, log files, search indices. The standard algorithm is AES-256.
For customer portals handling sensitive data (PHI, financial data, personally identifiable information), encryption at rest is non-negotiable. Most cloud providers (AWS, Azure, GCP) offer encryption at rest with vendor-managed keys by default. Higher-security use cases use customer-managed keys (BYOK — bring your own key) through services like AWS KMS, Azure Key Vault, or Google Cloud KMS.
See Secure Client Portal.