Encryption in Transit and at Rest Explained
Encryption is the process of converting data into a format that cannot be read without the correct decryption key. Two forms are essential for data security: encryption in transit and encryption at rest.
Encryption in Transit
Data in transit is data moving between systems — between a user's browser and your server, between your servers and a database, or between your API and a third-party service. Without encryption in transit, this data can be intercepted ("man-in-the-middle" attacks).
How we implement it: All web traffic is served over HTTPS using TLS (Transport Layer Security) 1.2 or 1.3. We use valid certificates (from Let's Encrypt or a commercial CA), enforce HTTPS everywhere with HTTP Strict Transport Security (HSTS), and configure servers to disable older, insecure TLS versions (1.0, 1.1).
Encryption at Rest
Data at rest is data stored in databases, file systems, backups, or any storage medium. Without encryption at rest, a physical or logical breach of your storage gives attackers direct access to all your data.
How we implement it: Database encryption at rest is typically handled at the infrastructure level (AWS RDS encryption, Azure Transparent Data Encryption). Application-level encryption is used for particularly sensitive fields (e.g. social security numbers, payment card data) — where even database administrators cannot see the plaintext.
What Encryption Does Not Protect Against
Encryption protects data in transit and at rest — not data in use. A compromised application or database user with valid credentials can still access encrypted data once decrypted for processing. Encryption is one layer in a defence-in-depth strategy.