Encryption in transit protects data crossing networks (HTTPS, TLS, IPsec). Encryption at rest protects stored data (database encryption, full-disk encryption). Both are critical—omitting either leaves a gap.
What is encryption
Encryption is a mathematical process that transforms readable data (plaintext) into unintelligible form (ciphertext) using an algorithm and a cryptographic key. Only someone with the correct key can decrypt the data back to plaintext. Encryption protects data in transit (over networks) and at rest (on storage devices). It is fundamental to confidentiality in GDPR, HIPAA, and other regulations.
Why it matters
Encryption is your last line of defense. If an attacker breaches your network or storage, encrypted data is worthless to them without the key. Conversely, unencrypted data is immediately compromised. Encryption is legally required for sensitive data in GDPR, HIPAA, PCI-DSS, and increasingly in NIS2. It's also a strategic differentiator: customers trust companies that encrypt their data.
Key points
Key management is harder than encryption itself. Generate strong keys, store them securely (hardware security modules, not hardcoded), rotate them periodically, and control who can access them.
Different encryption strength for different data: a 128-bit key is suitable for non-critical data; 256-bit is standard for sensitive data. Match key length to threat level and data sensitivity.
Encryption is not authentication. Encryption keeps data secret; digital signatures and TLS certificates verify identity. Both are needed—encryption alone doesn't prevent a MITM attacker from intercepting and re-encrypting data.
Encryption in practice
A financial services firm encrypts all customer data at rest (AES-256) and in transit (TLS 1.3). An attacker breaches the data center and steals hard drives. The drives are useless—data remains encrypted and unreadable. The firm detects the breach, rotates encryption keys (invalidating old copies), maintains customer trust, and faces minimal GDPR fines. Without encryption, the same breach would have exposed millions of customer records and cost millions in fines and remediation.
Common mistakes
- Encrypting but losing the key—if keys are not backed up securely or are deleted, encrypted data becomes permanently inaccessible. Implement proper key backup and recovery procedures.
- Using weak algorithms or key lengths—DES and MD5 are cryptographically broken; use AES for encryption and SHA-256 for hashing. Never implement custom encryption; use proven standards.
- Encrypting but not managing keys—if encryption keys are hardcoded, shared in emails, or stored insecurely, encryption provides no protection. Implement a Hardware Security Module (HSM) or Key Management Service (KMS).
Related services
This concept may be related to services such as:
Frequently asked questions
What's the difference between symmetric and asymmetric encryption?
Symmetric encryption (AES) uses one key to encrypt and decrypt—fast but key distribution is hard. Asymmetric (RSA) uses a public key to encrypt and a private key to decrypt—enables secure key exchange but is slower. In practice, TLS uses both: asymmetric to securely exchange a symmetric key, then symmetric for bulk data encryption.
Is encryption alone enough to protect sensitive data?
No. Encryption protects confidentiality (secret-keeping) but not integrity or availability. You also need: access controls (limit who can read data), audit logging (detect unauthorized access), and secure key management. Encryption + least-privilege access + monitoring = strong data protection.
What about end-to-end encryption (E2E)?
E2E encryption means only the sender and recipient can read messages; even the service provider cannot. WhatsApp and Signal use E2E. For businesses, E2E protects communications from the company's own IT staff and provides strong privacy. Trade-off: E2E complicates compliance auditing and data recovery if encryption keys are lost.