Why is encryption at rest difficult? I presume it's all AES (hardware accelerated), with some key derived at system boot time?

Are y'all doing encryption in the D/C, or just on the WAN? If you're doing it on the WAN, any luck using MACSEC?