Data Encryption at Rest & in Transit
Implement encryption across your stack. Covers TLS configuration, at-rest encryption, key management, envelope encryption, database encryption, and certificate management.
Encryption protects data from unauthorized access even when other controls fail. If an attacker gains access to your database files, encryption at rest makes them unreadable. If an attacker intercepts network traffic, encryption in transit (TLS) makes it unintelligible. Encryption isn’t a nice-to-have — it’s a regulatory requirement for virtually every compliance framework.
Encryption Overview
| Type | What It Protects | How | Example |
|---|---|---|---|
| In transit | Data moving between systems | TLS 1.3 | HTTPS, database connections |
| At rest | Data stored on disk | AES-256 | Database files, S3 objects |
| In use | Data being processed | Confidential computing | Enclaves, secure memory |
| Application-level | Specific fields | Field-level encryption | Credit cards, SSN |
TLS Configuration
# Modern TLS config (nginx)
server {
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (force HTTPS for 1 year)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Certificate
ssl_certificate /etc/ssl/certs/fullchain.pem;
ssl_certificate_key /etc/ssl/private/privkey.pem;
}Envelope Encryption
┌─────────────────────────────────────────────┐
│ Data Encryption Key (DEK) │
│ • Encrypts your actual data │
│ • Unique per record/file │
│ • Stored ENCRYPTED alongside data │
└──────────────────┬──────────────────────────┘
│ encrypted by
▼
┌─────────────────────────────────────────────┐
│ Key Encryption Key (KEK) │
│ • Encrypts the DEK │
│ • Stored in KMS (AWS KMS, GCP KMS, Vault) │
│ • Never leaves KMS in plaintext │
└─────────────────────────────────────────────┘
Advantage: Rotate KEK without re-encrypting all data.
Only re-encrypt the DEK headers.Database Encryption
| Approach | Coverage | Performance Impact | Key Management |
|---|---|---|---|
| Full disk encryption | Everything on disk | ~5% overhead | OS-level or cloud provider |
| Transparent Data Encryption (TDE) | Database files | ~5-10% overhead | Database manages keys |
| Column-level encryption | Specific sensitive columns | Per-query overhead | Application manages keys |
| Application-level encryption | Selected fields before storage | Application overhead | Application manages keys |
Anti-Patterns
| Anti-Pattern | Problem | Fix |
|---|---|---|
| TLS 1.0/1.1 | Known vulnerabilities | TLS 1.2 minimum, TLS 1.3 preferred |
| Self-signed certs in production | No trust verification | Let’s Encrypt or commercial CA |
| Encryption keys in code | Keys exposed in repo | KMS (AWS KMS, Vault, GCP KMS) |
| Same key for everything | One compromise exposes all data | Envelope encryption, key-per-resource |
| No key rotation | Compromised key used forever | Automate rotation every 90 days |
Checklist
- TLS 1.2+ on all external and internal connections
- HSTS enabled with long max-age
- Certificates: automated renewal (Let’s Encrypt / ACM)
- At-rest encryption: enabled on all databases and storage
- Envelope encryption for sensitive application data
- Key management: KMS, not in code/config files
- Key rotation: automated, every 90 days
- Database connections: SSL/TLS required, no plaintext
- Audit: log all key usage and access
:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For security consulting, visit garnetgrid.com. :::
