Why Two Types?
Data exists in two states:
- At rest: Stored on disk (databases, files, backups)
- In transit: Moving across networks
Each state has different threats and requires different protection.
Data Lifecycle with Encryption:
[User Device]
│
▼ 🔐 TLS (In Transit)
[Load Balancer]
│
▼ 🔐 TLS (In Transit)
[Application Server]
│
▼ 🔐 TLS (In Transit)
[Database Server]
│
▼ 🔒 AES-256 (At Rest)
[Storage / Disk]
Encryption at Rest
What It Protects Against
- Physical theft of storage devices
- Unauthorized access to stored data
- Data breaches from compromised storage
- Insider threats with storage access
- Improper decommissioning of hardware
How It Works
Without Encryption: With Encryption:
┌──────────────────┐ ┌──────────────────┐
│ Credit Card: │ │ aX7$kL9@mN2# │
│ 4532-1234-5678 │ │ encrypted data │
│ │ │ unreadable │
│ SSN: 123-45-6789 │ │ without key │
└──────────────────┘ └──────────────────┘
Readable! Protected!
Common Methods
Symmetric Encryption (AES-256)
- Same key for encryption and decryption
- Fast, efficient for large data
- AES-256 is the industry standard
- Key management is the hard part
Encryption: Plaintext + Key → Ciphertext
Decryption: Ciphertext + Key → Plaintext
Same key for both operations!
Transparent Data Encryption (TDE)
- Database-level encryption
- Automatic, no application changes
- Data encrypted on disk, decrypted in memory
- Used by: SQL Server, Azure SQL, Oracle, PostgreSQL
Full Disk Encryption
- Entire disk is encrypted
- BitLocker (Windows), LUKS (Linux)
- Protects against physical theft
Cloud Provider Options
Azure Encryption at Rest:
| Service | Encryption Method | Key Management | |---------|------------------|----------------| | Storage (Blobs, Files) | SSE with AES-256 | Microsoft-managed or customer-managed | | Managed Disks | SSE or Azure Disk Encryption | Microsoft-managed or customer-managed | | Azure SQL | TDE | Microsoft-managed or customer-managed (BYOK) | | Cosmos DB | Automatic AES-256 | Microsoft-managed |
AWS Encryption at Rest:
| Service | Encryption Method | Key Management | |---------|------------------|----------------| | S3 | SSE-S3, SSE-KMS, SSE-C | AWS-managed or customer-managed | | EBS | AES-256 | AWS-managed or customer-managed | | RDS | TDE or volume encryption | KMS keys | | DynamoDB | AES-256 | AWS-managed or customer-managed |
Encryption in Transit
What It Protects Against
- Man-in-the-middle attacks
- Eavesdropping on network traffic
- Data tampering during transmission
- Session hijacking
- Credential theft
How TLS Works
TLS Handshake (Simplified):
Client Server
│ │
│──── Client Hello ─────────────►│
│ (supported ciphers) │
│ │
│◄─── Server Hello ──────────────│
│ (chosen cipher + cert) │
│ │
│ [Client validates cert] │
│ │
│──── Key Exchange ─────────────►│
│ (encrypted with pub key) │
│ │
│◄─── Finished ──────────────────│
│ │
│◄══► Encrypted Data ═══════════►│
(symmetric encryption)
Common Methods
TLS/SSL (HTTPS)
- Asymmetric encryption for key exchange
- Symmetric encryption for data transfer
- Certificate-based authentication
- TLS 1.3 is current standard (TLS 1.2 acceptable)
- SSL is deprecated (don't use!)
TLS Versions: | Version | Status | Notes | |---------|--------|-------| | SSL 2.0/3.0 | ❌ Deprecated | Vulnerable, don't use | | TLS 1.0/1.1 | ⚠️ Deprecated | Being phased out | | TLS 1.2 | ✅ Acceptable | Widely supported | | TLS 1.3 | ✅ Recommended | Fastest, most secure |
VPN Encryption
- IPsec or OpenVPN protocols
- Site-to-site or point-to-site
- Encrypts all traffic in tunnel
- Used for hybrid connectivity
mTLS (Mutual TLS)
- Both client and server present certificates
- Used in microservices (service mesh)
- Zero-trust approach to service communication
Cloud Provider Options
Azure Encryption in Transit:
| Scenario | Solution | |----------|----------| | Public web traffic | HTTPS enforcement (App Service, CDN) | | Azure services | TLS 1.2+ by default | | Hybrid connectivity | VPN Gateway (IPsec) | | Private connectivity | ExpressRoute with MACsec | | Internal services | Service Endpoints, Private Link |
AWS Encryption in Transit:
| Scenario | Solution | |----------|----------| | Public web traffic | HTTPS, ACM certificates | | AWS services | TLS by default | | Hybrid connectivity | Site-to-site VPN | | Private connectivity | Direct Connect | | Internal services | VPC Endpoints, PrivateLink |
Comparison Summary
| Aspect | At Rest | In Transit | |--------|---------|------------| | Threat | Storage breach, theft | Network interception | | Common method | AES-256 | TLS 1.3 | | Performance impact | Low | Low-Medium | | Key location | Storage system | Both endpoints | | Typical implementation | Automatic | Configure endpoints | | Compliance focus | Data storage requirements | Data transmission requirements |
End-to-End Encryption
Combines both types throughout data lifecycle:
┌────────────┐ TLS ┌──────────────┐ TLS ┌──────────────┐
│ Client │──────────────│ Load Balancer│────────────│ App Server │
│ 🔐 Local │ In Transit │ │ In Transit │ │
│ Storage │ │ │ │ │
└────────────┘ └──────────────┘ └──────────────┘
│
TLS │ In Transit
▼
┌──────────────┐
│ Database │
│ 🔒 TDE │
│ At Rest │
└──────────────┘
│
▼
┌──────────────┐
│ Backups │
│ 🔒 AES-256 │
│ At Rest │
└──────────────┘
Data is protected:
- On user device (at rest)
- Client to load balancer (in transit)
- Load balancer to app (in transit)
- App to database (in transit)
- In database storage (at rest)
- In backup storage (at rest)
Key Management
The encryption is only as secure as the key management!
Azure Key Vault
- Centralized key management
- Hardware security modules (HSM) option
- Automatic key rotation
- Access policies and RBAC
- Audit logging
AWS KMS (Key Management Service)
- Managed key service
- Integration with all AWS services
- Customer-managed keys (CMK)
- Automatic rotation
- CloudTrail audit logging
Key Management Best Practices
| Do | Don't | |----|-------| | ✅ Store keys in dedicated service | ❌ Store keys with encrypted data | | ✅ Rotate keys regularly | ❌ Use same key forever | | ✅ Use separate keys per environment | ❌ Share keys across dev/prod | | ✅ Implement key access auditing | ❌ Allow broad key access | | ✅ Have key recovery procedures | ❌ Lose your only key copy |
Best Practices
- Encrypt everything by default - Don't ask "should we encrypt?" Ask "why wouldn't we?"
- Use TLS 1.3 - Disable older versions when possible
- Manage keys properly - Never store keys with data
- Rotate keys regularly - Limit exposure window if compromised
- Use managed services - Let cloud providers handle complexity
- Enforce HTTPS - Redirect HTTP to HTTPS
- Use certificate automation - Let's Encrypt, ACM, managed certs
- Monitor for misconfigurations - Unencrypted buckets, HTTP endpoints
Compliance Requirements
Many regulations require encryption:
| Regulation | At Rest | In Transit | |------------|---------|------------| | PCI DSS | Required | Required (TLS 1.2+) | | HIPAA | Required | Required | | GDPR | Recommended | Recommended | | SOC 2 | Required | Required | | FedRAMP | Required (FIPS 140-2) | Required |
Exam Tips
Exam focus: Know which encryption type protects against which threat
Common questions:
- What protects against man-in-the-middle attacks? → TLS (in transit)
- What protects against physical theft? → Encryption at rest
- Which TLS version should be used? → TLS 1.2 minimum, 1.3 preferred
- Where should encryption keys be stored? → Key Vault / KMS
Key concepts:
- At rest = storage protection
- In transit = network protection
- TDE = database-level transparency
- SSE = storage service encryption
Key Takeaway
Encryption at rest and in transit are both essential. They protect against different threats and should both be implemented. Cloud certifications test your understanding of when and why to use each type. In practice, enable both by default and use managed key services.