Encryption of data-at-rest is recommended by Teradata, and can by achieved via server-side encryption (SSE) using Dell’s D@RE functionality.
SSE can be enabled to use D@RE at either the namespace level--such that all buckets within that namespace are encrypted by default--or it can be set at the bucket level if the namespace is not set to use SSE. When an S3 bucket is SSE enabled, the D@RE feature will ensure that all customer user data associated with objects written to it are encrypted.
Encryption using D@RE does incur some performance impacts, primarily on Reads, which can be up to 20% on 16MB object workloads.
Full details on D@RE functionality, capabilities, key management support, and best practices can be found in the Dell ECS Data at Rest Encryption (H18850.2) document, available on the Dell InfoHub. When configuring the functionality, Teradata recommends reviewing the Teradata on Dell ECS: Data Encryption at Rest Supplemental Guidance. This document is available for download from the attachment in the left sidebar.