← Lessons

quiz vs the machine

Gold1360

System Design

Encryption in Transit and at Rest

Protecting data both as it moves over the network and as it sits in storage.

5 min read · core · beat Gold to climb

Two states, two protections

Data is vulnerable in two states. In transit it travels across networks where it can be intercepted. At rest it sits in disks and backups where it can be stolen. Each state needs its own encryption.

In transit

  • TLS encrypts connections so eavesdroppers see only ciphertext.
  • Encrypt internal traffic too, not just the public edge, since internal networks can be compromised.

At rest

  • Disk and volume encryption protects against stolen hardware.
  • Application level encryption protects sensitive fields even from database administrators.
  • The protection is only as strong as the key management behind it; encrypted data with leaked keys is plaintext.

Why both are required

Encrypting only in transit leaves stored data exposed; encrypting only at rest leaves the wire exposed. Compliance and real safety require covering both states end to end.

Key idea

Protect data in both states, encrypting it in transit with TLS and at rest on disk, backed by strong key management.

Check yourself

Answer to earn rating on the learn ladder.

1. Why encrypt internal service traffic and not just the public edge?

2. What undermines encryption at rest entirely?