What do you mean by "at rest"?

Wondering if the database as stored on disk wherever is encrypted. Not in transit by SSL but on disk.

Volumes are not encrypted.

When you say volumes, are you referring simply to the mountable volume service alone or does that include services like Postgresql, redis, etc?

A volume is more like an add-on to a service and all databases come with a volume attached and that is where the data is stored.

https://docs.railway.app/reference/volumes

https://docs.railway.app/guides/volumes

Ah, thanks a lot.

I'd like to clarify here: Encryption at rest typically refers to the storage layer. The term refers to encryption used to help protect data stored on a disk, backup media, or similar.

All customer data within Railway projects is encrypted at rest.

Thanks for the clarification. Just so I'm not mistaken, volumes would fall under this category as well as where the databases are stored? And they are all encrypted at rest?

I'd like clarification on this as well. What Christian said seems to conflict with what Brody said. It sounds like volumes are encrypted at rest? Please advise.

I was pretty clear previously told by ray that volumes are not encrypted.

It might be worth the time to update this document specifically on this point: https://docs.railway.app/maturity/compliance

I'm still unclear if I'd be lying to say our data is "encrypted at rest" or not

How would I go about getting a concrete answer here? I need to speak with a Railway staff member.

- A Paying Customer

Bump

To clarify:

• All user data that Railway (the platform) holds is encrypted at-rest. For instance, your project's name, configuration, account information, etc. is encrypted at-rest. Service Variables have an additional layer of encryption on them and they are decrypted only when needed (e.g. when you click on the "Eye" icon next to the variable in your service, or when we deploy your application). This is what Christian was referring to.

• All data that you (the user) holds is encrypted at-rest on the storage level. The underlying data is encrypted at-rest, however we do not encrypt individual volumes at the software level. This is what I was referring to (per Brody's post).

By "encrypted at-rest", we mean that they're encrypted at the lowest level. Ergo, if somebody were to gain physical access to the disk that your data resides in (whether that's from a database you have on Railway, or your user account's information), they would not be able to view the data unless they possess the decryption key.

@jpowell my apologies for missing this. We respond to all threads created by Pro users, but replies like this (in other threads) might get lost in our feed -- I'd recommend creating a new thread if you require a faster response from us.

edit: further clarification from a compliance perspective -- this means that Railway checks the "is data encrypted at rest" box.

OK - that's great to know! Thanks!

Just wanted to say it might be good to add a formal description of this and some more details to the documentation? It seems like a fairly common question, both here and in the Discord. I'm getting grilled by the CASA security people about the algorithm, etc. Hopefully they are satisfied with the description above.

We now have a trust center that clearly states the information ray provided above.

https://trust.railway.com/?itemName=data_security&source=click&itemUid=4ea65d1e-79fb-47cf-95a8-bdb24d2d6a4b

For extra context, I did not work for Railway when I made my previous comments.

Ah, fantastic! Thanks very much. Yes, I noticed that going through the old Discord posts—glad they brought you on.