Encryption at Rest, in Transit, in Use, and Key Management
Key Takeaways
- Encryption at rest protects stored data, while encryption in transit protects data moving across networks.
- Encryption in use protects data during processing through methods such as secure enclaves, trusted execution environments, or confidential computing.
- Symmetric encryption is fast for bulk data, while asymmetric encryption supports key exchange, signatures, and certificates.
- Key management is often more important than the algorithm choice in exam scenarios.
- Lost, exposed, reused, or poorly rotated keys can defeat otherwise strong encryption.
Encryption and Key Management
Encryption protects confidentiality by making data unreadable without the correct key. Security+ scenarios usually ask you to identify where encryption is needed and how keys should be protected.
Encryption by Data State
| Data state | Meaning | Example controls |
|---|---|---|
| At rest | Stored on disk, database, object storage, backup, or mobile device | Full disk encryption, database encryption, object storage encryption |
| In transit | Moving across a network | TLS, HTTPS, IPsec VPN, SSH, SFTP |
| In use | Being processed in memory or CPU | Trusted execution environment, secure enclave, confidential computing |
At rest, think stolen laptop, lost drive, exposed storage bucket, or backup media. In transit, think interception, downgrade, or man-in-the-middle attack. In use, think protecting sensitive workloads while data is actively processed.
Crypto Building Blocks
| Control | Main purpose | Exam clue |
|---|---|---|
| Symmetric encryption | Fast bulk confidentiality | Same key encrypts and decrypts |
| Asymmetric encryption | Key exchange, signatures, identity binding | Public/private key pair |
| Hashing | Integrity check, one-way digest | Same input gives same digest |
| Salt | Defends against precomputed password hash attacks | Unique random value per password |
| Digital signature | Integrity, authenticity, non-repudiation | Sender signs with private key |
| Certificate | Binds a public key to an identity | Issued by a certificate authority |
Key Management Concepts
| Concept | Why it matters |
|---|---|
| KMS | Central service for generating, storing, rotating, and controlling keys |
| HSM | Tamper-resistant hardware for protecting high-value keys |
| Key rotation | Limits exposure window if a key is compromised |
| Key escrow | Stores recovery keys under controlled access for continuity or legal need |
| Key destruction | Makes encrypted data unrecoverable when keys are destroyed |
| Separation of duties | Prevents one person from controlling every part of key use and recovery |
Practical Scenario
A finance application stores payment records in a database and exports nightly backups to cloud object storage. Users connect through a web portal. The correct protection pattern is layered:
| Location | Good control |
|---|---|
| Web connection | TLS with valid certificates |
| Database storage | Encryption at rest with access controlled keys |
| Backup objects | Separate backup encryption keys and restricted access |
| Admin access | MFA, logging, just-in-time access where available |
| Key storage | KMS or HSM, not keys hardcoded in application files |
Common Exam Traps
| Trap | Better exam reasoning |
|---|---|
| "Hashing encrypts data." | Hashing is one-way integrity protection, not reversible encryption. |
| "Private keys can be shared with partners." | Public keys are shared; private keys must be protected. |
| "TLS protects data after it reaches the server." | TLS protects transit, not storage or internal use after termination. |
| "Hardcoded keys are acceptable if the algorithm is strong." | Key exposure defeats strong algorithms. |
Quick Drill
Choose the best term:
- Protect a laptop if it is stolen: encryption at rest.
- Protect an API call across the internet: encryption in transit.
- Prove a software package was signed by the publisher: digital signature.
- Store high-value root keys: HSM.
- Make encrypted records unrecoverable without wiping every disk block: destroy the key.
A company encrypts database backups but stores the encryption key in the same backup folder. What is the primary weakness?
Which control best protects data while it is crossing an untrusted network?
Match each cryptographic concept to its primary use.
Match each item on the left with the correct item on the right