Good morning folks,

I hope that the techy guys are around to help me a bit with this as I am struggling myself to see the picture. I am trying to understand how a mobile application that is installed on... say - a smartphone encrypts data at rest. It is said that the app "X" encrypts the data on the device using a symmetric key. I know the PKI concepts - know what is symmetric and asymmetric encryption however wondered - when we talk encryption for data at rest is it relevant to say symmetric key?? I think not.... these terms are commonly used for the encryption in transit right? 

Second and more important - if say the app "X" indeed encrypts the data at rest on the phone itself, how should the encryption key be stored? I assume that the password used to login to the application is not the key for the encryption at rest, rather a service linked to the authentication mechanism looks for the encryption key on the storage of the phone once the user has logged in and pulls it out to decrypt the data - but how is this key stored and protected? Sorry if the above does not make sense - I am not an app developer and am wondering how this mechanism works.