← Lessons

quiz vs the machine

Platinum1710

Security

Encryption At Rest Vs In Transit

Two distinct protections that defend stored data and data moving over the network.

5 min read · advanced · beat Platinum to climb

Two Different Threats

Data faces danger in two states, and each needs its own protection. Confusing the two leaves a gap an attacker will find.

Encryption In Transit

This protects data while it moves across a network, typically with TLS.

  • It defends against eavesdropping and tampering on the wire.
  • It stops attackers on shared networks or between hops from reading traffic.
  • It does not protect data once it lands on disk.

Encryption At Rest

This protects data while it is stored, on disks, backups, and snapshots.

  • It defends against theft of a disk, backup tape, or storage volume.
  • It is often implemented with disk or database encryption tied to a key service.
  • It does not protect data while it travels or while it is in use decrypted in memory.

Use Both

  • A stolen backup is useless if encrypted at rest.
  • A sniffed connection is useless if encrypted in transit.
  • Together they cover the moving and stored states, but plan for data in use separately.

Key idea

Encryption in transit guards data moving over the network and encryption at rest guards stored data, and a complete defense needs both because each covers a gap the other leaves open.

Check yourself

Answer to earn rating on the learn ladder.

1. What does encryption in transit protect against?

2. What threat does encryption at rest address?

3. Why use both protections together?