Why use YB encryption at rest over filesystem level encryption?

[jaki]

This is more of a question, but the answers can go in the documentation.

Why use Yugabyte built-in encryption at rest when you can do encryption at the filesystem level or device hardware level?

possible answer: because the data will be plaintext readable by unix users

• with permissions restricting the data dir, only the unix user that creates the cluster should be able to read the data, and that unix user would have full authentication capabilities to access the DB anyway if it were encrypted at rest

possible answer: because of KMS integration and key rotation

• that might be possible with LUKS filesystem encryption as well (not too sure about this one)

possible answer: because we don't want to encrypt other data

• you can partition your disk or use multiple disks

[kmuthukk]

When done at the database layer (the feature, and associated capabilities like key rotation) are cluster wide. When done at the filesystem level, it becomes the operations team's burden to orchestrate things manually/externally on every node. And, the degree to which filesystems or external encryption mechanisms support online operations -- i.e. when the database processes are still running -- can vary too.