protecting data at rest : encrypt data before writing them to disk.
e2e encryption : block should be encrypted by the sender ( in our case : the host) . Not applicable for now.
key rotation : use a new key to encrypt new data without losing the ability to decrypt old data. Should be used periodically, or at least after an attacker got the keys.