All news with #encryption at rest tag

🔒 Microsoft is evaluating a patch for a newly disclosed zero-day, YellowKey, which can bypass BitLocker encryption and allow local attackers to read and modify files. The company issued an advisory for CVE-2026-45585 and provided immediate mitigation guidance while a fix is considered. Organizations are urged to limit physical access to vulnerable devices, audit their environments, and strengthen Secure Boot and firmware integrity controls.

🔒 The AWS Advanced JDBC Wrapper now includes a KMS Encryption plugin that provides column-level client-side encryption for Java applications. Operating at the JDBC driver, the plugin encrypts values before they reach the database and decrypts on read, keeping plaintext visible only to the application while allowing HMAC-based integrity checks. It integrates with Aurora and RDS (PostgreSQL and MySQL-compatible), Spring, Hibernate, and common connection pools without code changes, and is available as open-source under the Apache 2.0 license.

🔒 Amazon OpenSearch Service now supports index-level encryption using AWS Key Management Service (KMS) customer managed keys. This allows you to assign different customer managed keys to individual indexes on the same domain, enabling more granular, tenant-specific encryption policies and isolating encrypted data across indexes. The capability builds on existing domain-level encryption and is available at no additional cost for domains running OpenSearch 3.3 or later in select AWS Regions.

🔐 Amazon S3 is rolling out a new default bucket security setting that will automatically disable server-side encryption with customer-provided keys (SSE-C) for all new general purpose buckets. For existing buckets in accounts without any SSE-C-encrypted objects, S3 will also block SSE-C for new write requests. AWS will not change buckets in accounts that already use SSE-C. The rollout covers 37 regions, including AWS China and GovCloud, over the next few weeks.

🏢 Amazon RDS for Oracle is now available on AWS Outposts, enabling customers to run a managed Oracle database service on-premises with the same operational model used in AWS Regions. The offering supports Oracle Database 19c and 21c under a BYOL model and includes automated backups, automated patching, point-in-time recovery, CloudWatch monitoring, and encryption at rest with AWS KMS. It also supports multi-AZ deployments across Outposts racks for high availability and provides options for disaster recovery to the parent AWS Region or across Outposts.

🔒 Amazon now supports FIPS-compliant operation for Amazon ECS Managed Instances running Graviton-based and GPU-accelerated workloads in the AWS GovCloud (US) Regions. ECS Managed Instances in GovCloud enable FIPS by default, use FIPS-compliant endpoints and validated cryptographic modules, and boot kernels in FIPS mode. Customers can enable the feature via the Console, ECS MCP Server, ECS Express Mode, or infrastructure-as-code; management charges apply in addition to EC2 costs.

🔒 HP announced TPM Guard, a hardware-plus-firmware solution introduced at its Imagine event, which creates an authenticated, encrypted tunnel between the TPM and the CPU to protect keys in transit. The design cryptographically binds the TPM to the host processor so the chip stops functioning if removed. HP says the feature thwarts low-cost physical attacks that can intercept TPM communications and will be available via firmware update on selected G2 commercial PCs starting in July, with broader integration in future models.

🔐 Amazon Redshift now supports federated permissions with AWS IAM Identity Center (IdC) across multiple AWS Regions, letting you extend IdC from a primary Region to additional Regions for improved proximity-based performance and resilience. In those Regions you can create Redshift and Lake Formation Identity Center applications without replicating identities, so existing workforce identities can query warehouses while row-, column-level and masking controls continue to apply automatically. Users benefit from single sign-on access via Amazon QuickSight, the Redshift Query Editor, or third-party SQL tools, simplifying access and compliance across regions.

🔐 Amazon Managed Grafana now supports customer-managed keys (CMKs) through AWS Key Management Service (KMS), enabling you to encrypt workspace data with keys you control. Previously, Amazon Managed Grafana used AWS-owned keys by default; this option lets organizations add a self-managed encryption layer to meet compliance and regulatory requirements. The feature is available in all generally available regions except AWS GovCloud (US) Regions.

🔒 Amazon Aurora now automatically applies server-side encryption by default to all new database clusters created without custom encryption settings, using AWS-owned keys. This fully managed encryption is transparent to users and incurs no cost or performance impact. Existing clusters are unaffected; you can still select customer-managed or AWS-managed KMS keys during creation. Available in all AWS Regions including GovCloud.

🔐 Google issues a call to action to protect digital systems against quantum threats, outlining its post-quantum cryptography (PQC) work and policy recommendations. The company warns that large-scale quantum computers could break current public-key cryptography and cautions about 'store now, decrypt later' harvesting of encrypted data. Google commits to research transparency, completing PQC migrations within NIST guidelines, and strengthening crypto agility, critical shared infrastructure, and ecosystem readiness.

🔐 Microsoft has the technical ability to release BitLocker recovery keys to the FBI when presented with appropriate court orders, a capability reportedly exercised roughly twenty times per year. While users can keep recovery keys only on their own devices, Microsoft advises storing them on its servers for convenience. That cloud backup simplifies recovery after lost credentials or device lockouts but also makes keys accessible to law enforcement through subpoenas or warrants.

🔐 Single-tenant Cloud HSM is now generally available in the U.S. and EU, offering dedicated, hardware-enforced key isolation for regulated workloads. It provides FIPS 140-2 Level 3 validated Marvell LiquidSecurity HSMs, quorum-based administration, and the ability to revoke Google access to make keys unavailable. Google manages provisioning and high availability while customers retain root key control and can provision clusters in minutes using gcloud.

🔒 You can now change the server-side encryption type of encrypted objects in Amazon S3 without moving data. Use the UpdateObjectEncryption API to atomically change encryption keys across any object size or storage class, and run it at scale with S3 Batch Operations to standardize entire buckets while preserving object properties and Lifecycle eligibility. The capability supports migrating from SSE-S3 to SSE-KMS, swapping customer-managed KMS keys, and enabling S3 Bucket Keys to reduce KMS requests. The API is available in all AWS Regions via the AWS Management Console and SDKs.

🔐 Microsoft complied with a US search warrant in early 2025 and provided BitLocker recovery keys stored on its servers to investigators probing alleged COVID unemployment fraud in Guam. Because many Windows installations back up recovery keys by default to Microsoft cloud services, those keys were retrievable when legally compelled. Experts stress this is a custody and governance issue rather than a cryptographic failure of BitLocker, and recommend restricting default cloud backups, enforcing strict admin controls, and redirecting keys to on‑premises or enterprise key vaults where possible.

🔒 Amazon EMR Serverless now supports encrypting local disks with AWS KMS customer managed keys (CMKs), enabling customers to adopt CMKs instead of default AWS-owned keys for greater encryption control. You can use CMKs from the same account or from another account and apply them at the application level or per job run and interactive session. This capability is supported on new and existing EMR Serverless applications across all supported EMR release versions and is available in all Regions, including AWS GovCloud (US) and China.

⚠️ Many German critical infrastructure organizations are transmitting over unencrypted digital radio, creating an easily exploitable interception vector. Wirtschaftswoche reports that prisons, airports and energy providers are operating TETRA networks without encryption—often citing cost reasons—while police networks remain multi-layer encrypted. AG Kritis calls the situation a security-policy disgrace, warning that a laptop, free software and modest technical skill are sufficient to eavesdrop and capture confidential information, potentially endangering supply security and lives.

🔒 Palo Alto Networks warns that the Jolly Scorpius group has significantly upgraded its Ransomhouse RaaS with a dual-key encryption trojan called Mario, combining a 32-byte primary key and an eight-byte secondary key that make recovery extremely difficult. Attack automation via MrAgent targets VMware ESXi hypervisors, enabling rapid cluster-wide encryption and firewall neutralization. The campaign primarily targets German companies; recommended mitigations include hardening virtual environments, immutable backups, and strict network segmentation.

🔒 Microsoft is rolling out hardware-accelerated BitLocker in Windows 11, offloading bulk cryptographic operations to SoC components with HSMs and TEEs to reduce CPU usage and improve I/O performance. The feature defaults to XTS-AES-256 on supported NVMe systems and initially appears on Intel Core Ultra Series 3 platforms. It’s available in Windows 11 24H2 (with September updates) and 25H2; verify mode with manage-bde -status.

🔒 Passwd is a Google Workspace–focused password manager that emphasizes practical, business-oriented credential storage and seamless integration with Google Workspace. It uses client-side AES-256 encryption and a zero-knowledge design so only users can decrypt stored secrets, while SOC 2 and GDPR readiness support regulated environments. Administrators gain centralized controls, role-based permissions, audit logs, and scalable deployment options including hosting inside a customer Google Cloud project. Cross-platform access via web, browser extensions, and mobile apps plus autofill, password generation, and activity tracking make it a low-friction choice for teams committed to Google tools.