Encryption at rest vs in transit

Topic: Security basics

Data in transit is encrypted between client and server (e.g. TLS); data at rest is encrypted on disk or in storage. Both are needed for full protection. Use this when designing or auditing where encryption is required.

Intent: Decision

Quick answer

  • In transit: protect data between client and server with TLS (HTTPS, SSH). Always use TLS for login, APIs, and any sensitive data over the network; avoid plain HTTP for anything sensitive.
  • At rest: protect data on disk (database, files, backups). Use full-disk encryption or application-level encryption; ensure keys are managed securely and not stored with the data.
  • Both matter: a stolen disk has unencrypted data if only transit is protected; a man-in-the-middle can read data if only at-rest is protected. Apply both for sensitive systems.

Steps

  1. Encrypt in transit

    Use TLS for all HTTP, API, and database connections. Enforce HTTPS; disable legacy protocols. Verify certificates and do not accept self-signed in production unless you have a private CA and pinning.

  2. Encrypt at rest

    Enable encryption for databases, object storage, and backups. Use provider-managed encryption (e.g. S3 SSE, RDS encryption) or application-level encryption with keys in a vault.

  3. Manage keys

    Encryption keys must not live next to the data. Use a KMS or vault; rotate keys per policy; control access to keys with IAM or ACLs so compromise of the app does not expose keys.

  4. Audit coverage

    List all stores of sensitive data (DB, files, backups, logs); confirm each has transit encryption when accessed and at-rest encryption where stored. Fill gaps before handling real data.

Summary

Encrypt in transit with TLS and at rest on disk and in storage. Manage keys in a KMS or vault; audit all data stores for both types of encryption. Use this when designing or reviewing security for data.

Prerequisites

None.

Steps

Step 1: Encrypt in transit

Use TLS for HTTP, APIs, and DB connections. Enforce HTTPS and disable weak protocols; verify certificates.

Step 2: Encrypt at rest

Enable encryption for databases, object storage, and backups. Use provider-managed or application-level encryption with keys in a vault.

Step 3: Manage keys

Keep keys in a KMS or vault, not with the data. Rotate keys; restrict access to keys via IAM or ACLs.

Step 4: Audit coverage

List every place sensitive data is stored or transmitted; ensure transit and at-rest encryption are in place.

Verification

Sensitive data is protected in transit (TLS) and at rest (encrypted storage); keys are managed separately and access is controlled.

Troubleshooting

No TLS on internal traffic — Add TLS or a private network with strict controls; treat internal as hostile if the network is shared. Keys in config — Move to a vault or KMS and rotate the keys.

Next steps

Continue to