Techniques are disclosed for securing data-at-rest at an internet-of-things (IoT) site with an unreliable or intermittent connectivity to the key manager operating at a corporate data center. The IoT site deploys one or more IoT devices/endpoints that generate IoT data according to the requirements of the site. The IoT data generated by these devices is collected/aggregated by one or more gateway devices. The gateways encrypt their data-at-rest gathered from the IoT devices using cryptographic keys. In the absence of a reliable connection to a backend corporate key manager, the design employs LAN key managers deployed locally at the IoT site. The gateways obtain keys from the LAN key managers to encrypt the IoT data before storing it in their local storage. The LAN key managers may periodically download keys from the corporate key manager or generate their own keys and then later synchronize with the corporate key manager.