Encryption at rest

Data is encrypted while it's sitting on disk, decrypted only when something authorized actually reads it. Protects against an attacker who walks off with the physical drive (or a backup, or a stolen laptop). Distinct from encryption in transit (TLS) and end-to-end encryption (only the endpoints can decrypt) — useful, but not a substitute for either.