APIs for Encryption at Rest The encryption at rest feature includes APIs for working with encryption, using either the default keystore (the internal PKCS #11 secured wallet) or a KMIP-compliant external KMS.