What it means
Encryption at rest means the data on disk (databases, file storage, backup media) is stored in encrypted form. If someone physically steals the drive or accesses the raw storage layer, they get encrypted bytes that are useless without the keys. Decryption happens only at read time, by authorised processes.
This is distinct from encryption in transit, which protects data while it is moving between systems (HTTPS, TLS). A modern security posture requires both.
Why it matters
Encryption at rest is the last line of defence. If your access controls fail, your audit logging fails, your authentication is bypassed, encryption at rest is what stops attackers from reading customer records anyway.
It is also a compliance requirement under PDPA, GDPR, HIPAA, and most other modern data laws. Storing personal data unencrypted is no longer defensible.
Example
A healthcare clinic uses respond.io for WhatsApp. respond.io encrypts all message data at rest in their cloud database; AWS additionally encrypts the underlying storage. If either layer is compromised, the data remains encrypted. The clinic can confirm this in writing for their compliance audits, with no ambiguity.