Encryption at Rest vs In Transit: Understanding Data Protection Layers

The Two States of Data

Data exists in two primary states that each require different encryption approaches. Understanding this distinction is fundamental to protecting your information comprehensively.

Data at rest is information stored on a device or medium — files on your hard drive, records in a database, backups on a USB drive, documents in cloud storage, or archived emails on a server. This data is not actively being transmitted; it is sitting in one place waiting to be accessed.

Data in transit is information actively moving from one location to another — an email being sent, a file being uploaded to the cloud, a web page loading in your browser, or a message being delivered through a chat application. This data is traveling across networks where it can potentially be intercepted.

A third state, data in use, refers to information actively being processed in a computer's memory (RAM). Protecting data in use is an emerging challenge that we will address later in this article.

Each state presents different vulnerabilities, and a comprehensive security strategy must address all of them.

Encryption at Rest

Encryption at rest protects stored data by converting it into an unreadable format that can only be decrypted with the correct key. If a device is stolen, a server is breached, or a backup tape is lost, the encrypted data remains inaccessible to anyone without the decryption key.

Common Methods

Full-disk encryption (FDE) encrypts the entire contents of a storage drive. BitLocker (Windows), FileVault (macOS), and LUKS (Linux) are the most common implementations. When you power on the device and enter your password, the encryption key is derived and the drive becomes accessible. When the device is powered off, the data is fully encrypted.

File-level encryption encrypts individual files or folders rather than the entire disk. This allows different files to have different encryption keys and access controls. You can use our Text Encryption tool to encrypt sensitive text content before saving it to any storage medium.

Database encryption protects data stored in databases. Transparent Data Encryption (TDE) encrypts the entire database at the storage level. Column-level encryption selectively encrypts specific sensitive fields like social security numbers or credit card numbers, allowing other fields to remain accessible for queries.

Backup encryption ensures that backup copies of data are as protected as the originals. An unencrypted backup of an encrypted database defeats the purpose of database encryption.

The Dominant Algorithm: AES

The Advanced Encryption Standard (AES) is the de facto standard for encryption at rest. AES operates on fixed-size blocks of data (128 bits) using keys of 128, 192, or 256 bits. AES-256 is the most common choice for sensitive data because it provides an enormous key space that is computationally infeasible to brute-force with current or foreseeable technology.

AES is a symmetric encryption algorithm, meaning the same key is used for both encryption and decryption. Key management — securely generating, storing, and controlling access to encryption keys — is often more challenging than the encryption itself.

Encryption in Transit

Encryption in transit protects data as it moves between systems, preventing eavesdropping, interception, and tampering during transmission.

TLS (Transport Layer Security)

TLS is the primary protocol for encrypting data in transit on the internet. When you see the padlock icon in your browser's address bar, TLS is encrypting the connection between your browser and the web server.

TLS uses a combination of asymmetric encryption (to establish the connection and exchange keys) and symmetric encryption (to encrypt the actual data transfer). The TLS handshake negotiates the encryption algorithms, verifies the server's identity through certificates, and establishes a shared session key — all before any application data is transmitted.

TLS 1.3, the current version, streamlined the handshake process and removed support for outdated cryptographic algorithms, improving both security and performance.

HTTPS

HTTPS is simply HTTP (the protocol for web communication) layered on top of TLS. It encrypts all data exchanged between your browser and the web server, including the URL path, form data, cookies, and response content. The domain name is visible (through the SNI extension during the TLS handshake), but the specific pages you visit and the data you submit are encrypted.

VPN Encryption

Virtual Private Networks encrypt all network traffic between your device and the VPN server, regardless of the application or protocol. This protects against eavesdropping on local networks, ISP surveillance, and man-in-the-middle attacks. Common VPN protocols include WireGuard, OpenVPN, and IKEv2, each using different encryption implementations.

End-to-End Encryption (E2EE)

End-to-end encryption extends transit encryption so that data is encrypted on the sender's device and can only be decrypted on the recipient's device. Unlike standard TLS, where the server can access the decrypted data, E2EE ensures that even the service provider cannot read the content.

Signal, WhatsApp, and ProtonMail implement E2EE for messages and emails. Our Text Encryption tool lets you apply your own end-to-end encryption to any text before sending it through any channel, giving you encryption that does not depend on the service provider.

The Gap: Data in Use

Encryption at rest protects stored data. Encryption in transit protects moving data. But when data is being actively processed — loaded into memory, computed upon, displayed on screen — it is typically decrypted and vulnerable.

An attacker who compromises a running server can access data in memory even if the disk is encrypted and all network connections use TLS. Cold boot attacks can extract encryption keys from RAM. Malware running on a system can read decrypted data as applications process it.

Confidential computing is an emerging technology that addresses this gap. Intel SGX, AMD SEV, and ARM TrustZone create hardware-protected enclaves where data can be processed while remaining encrypted, even from the operating system and hypervisor. This technology is still maturing but represents the third piece of the comprehensive encryption puzzle.

Building a Complete Encryption Strategy

A thorough data protection strategy addresses all states.

At rest: Enable full-disk encryption on all devices. Encrypt sensitive databases and backup media. Use our Text Encryption tool for individual sensitive files and text.

In transit: Ensure all web connections use HTTPS. Use a VPN on untrusted networks. Choose services that implement end-to-end encryption for sensitive communications.

In use: Keep systems patched and protected with endpoint security. Monitor for unauthorized access. Evaluate confidential computing solutions for highly sensitive workloads.

Key management: Protect your encryption keys as carefully as the data they protect. Use strong, unique passwords for disk encryption. Store backup encryption keys in a separate secure location from the backups themselves.

Encryption at rest and encryption in transit are complementary protections, not alternatives. Data that is encrypted on disk but sent over an unencrypted connection is vulnerable during transmission. Data that travels through an encrypted tunnel but is stored unencrypted is vulnerable at rest. Only by encrypting data in both states do you achieve meaningful protection against the full range of threats your information faces.