diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md
index c4da4ca74e275..56ef03da04ac3 100644
--- a/tidb-cloud/security-concepts.md
+++ b/tidb-cloud/security-concepts.md
@@ -221,6 +221,18 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin
 
 - For TiDB Cloud Dedicated clusters without CMEK, TiDB Cloud uses escrow keys; {{{ .starter }}} and {{{ .essential }}} clusters rely exclusively on escrow keys.
 
+**Dual-layer encryption**
+
+- Dual-layer encryption protects data with two or more independent layers of encryption. This method provides enhanced security by protecting against the compromise of any single encryption layer.
+
+- The cloud provider where your cluster is running encrypts all persisted data at rest using its native tools.
+
+- With dual-layer encryption enabled, TiDB Cloud adds a second layer of security by automatically encrypting data at rest using either CMEK or escrow keys.
+
+- Dual-layer encryption is disabled by default for {{{ .starter }}} clusters and enabled by default for {{{ .essential }}} clusters.
+
+- Dual-layer encryption is mandatory for TiDB Cloud Dedicated clusters.
+
 **Best practices:**
 
 - Regularly rotate CMEK keys to enhance security and meet compliance standards.
@@ -255,4 +267,4 @@ Records detailed database operations, including executed SQL statements and user
 
 - Use logs for compliance reporting and forensic analysis.
 
-For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md).
\ No newline at end of file
+For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md).