At Tom’s IT Cafe we break down the hard stuff so you can secure your
systems without getting lost in jargon. Below is a straight-ahead look
at what “in transit” and “in rest” mean, why they matter, and how to
implement them with the most common algorithms.
1. What Does Encryption Protect?
Encryption hides data from anyone who shouldn’t see it.
- In transit: While data moves over a network (e.g., HTTP requests,
VPN tunnels).
- In rest: When data sits on disk, in backups, or in cloud storage.
Both are essential. A breach of either can expose passwords, credit
cards, or intellectual property.
2. Encryption In Transit
2.1 How It Works
When a client talks to a server, they perform a handshake to agree on
encryption parameters:
- Client Hello – Sends supported TLS version and cipher suites.
- Server Hello – Chooses the best suite it supports.
- Certificate exchange – Server presents its public-key
certificate. - Key agreement – Diffie–Hellman or ECDHE establishes a shared
secret. - Finished messages – Both sides confirm integrity.
Once the handshake finishes, all data is encrypted with symmetric keys
derived from that shared secret.
2.2 Common Algorithms
| Category | Algorithm | Why It’s Popular |
|---|---|---|
| TLS 1.3 cipher suites | TLSAES128GCMSHA256, TLSAES256GCMSHA384 | 1-RTT handshake with optional 0-RTT for resumed sessions; forward secrecy (FS) |
| Key exchange | ECDHE-P-256, ECDHE-P-384 | Fast and FS; curves chosen by NIST or curve25519 for better performance. |
| Hashing | SHA-256, SHA-384 | Standardised, collision-resistant. |
| MAC (TLS 1.2) | HMAC-SHA-256 | Still used where TLS 1.3 isn’t available. |
Tip: Disable older suites such as RC4, DES, or any with NULL cipher.
2.3 Practical Implementation
Web Server (NGINX)
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off; # let client decide in TLS 1.3
# Modern cipher suites only
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
# Enforce HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
VPN (OpenVPN)
proto udp
port 1194
dev tun
ca ca.crt
cert server.crt
key server.key
dh none # use ECDHE
tls-version-min 1.2
cipher AES-256-GCM
auth SHA256
2.4 Best Practices
| Action | Why |
|---|---|
| Use TLS 1.3 everywhere | Removes handshake complexity and supports FS by default. |
| Enable HSTS and HTTP/2 | Forces secure connections and improves performance. |
| Rotate certificates regularly | Limits damage if a key is compromised. |
| Store private keys in HSM or TPM | Protects the most sensitive material. |
3. Encryption In Rest
3.1 How It Works
Data at rest encryption protects files, databases, or block devices by
converting plaintext into ciphertext using a symmetric key (e.g., AES).
The key must be stored separately from the encrypted data to avoid “key
in the same place as data” vulnerabilities.
3.2 Common Algorithms
| Layer | Algorithm | Typical Use |
|---|---|---|
| Full-disk encryption | LUKS / dm-crypt with AES-256-GCM | Linux servers, laptops |
| File system encryption | eCryptfs, Btrfs subvolume encryption | User data on shared drives |
| Database column/row encryption | AES-256-GCM or 3DES (legacy) | Sensitive fields in MySQL/PostgreSQL |
| Cloud storage | SSE-S3, KMS-managed keys | AWS S3, Azure Blob |
Why AES-256-GCM? It provides confidentiality and integrity with
minimal overhead.
3.3 Practical Implementation
LUKS on Linux
# Create a partition (replace /dev/sdb1)
cryptsetup luksFormat /dev/sdb1
cryptsetup open /dev/sdb1 cryptroot
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt/data
PostgreSQL column encryption
-- Enable pgcrypto extension
CREATE EXTENSION IF NOT EXISTS pgcrypto;
-- Create table with encrypted field
CREATE TABLE users (
id serial PRIMARY KEY,
username text,
ssn bytea -- stored encrypted
);
-- Insert data
INSERT INTO users (username, ssn)
VALUES ('alice', pgp_sym_encrypt('123-45-6789', 'secretkey'));
-- Decrypt data
SELECT pgp_sym_decrypt(ssn, 'secretkey') FROM users;
AWS S3 Server-Side Encryption
aws s3 cp localfile.txt s3://mybucket/remote.txt --sse AES256
# or use KMS keys
aws s3 cp localfile.txt s3://mybucket/remote.txt --sse aws:kms --sse-kms-key-id alias/mykey
3.4 Key Management
| Option | Description |
|---|---|
| Hardware Security Module (HSM) | Physical device that stores keys and performs crypto ops. |
| Cloud KMS | Managed key service with audit logs, rotation APIs. |
| Software Vault | HashiCorp Vault or similar; secure API for dynamic secrets. |
Key Rotation: Change keys every 90–180 days. Automate via scripts or
built-in cloud tooling.
3.5 Best Practices
| Practice | Rationale |
|---|---|
| Use strong, unique keys per device/service | Limits blast radius if a key leaks. |
| Separate key storage from data location | Prevents “key and ciphertext in the same breach”. |
| Enable audit logging for key access | Detect unauthorized reads/writes early. |
| Apply least-privilege to encryption services | Only necessary users or processes can decrypt. |
4. Common Pitfalls & How to Avoid Them
| Mistake | Impact | Fix |
|---|---|---|
| Leaving default TLS ciphers enabled | Vulnerable to downgrade attacks | Explicitly list modern suites; disable TLS 1.0/1.1 |
| Using weak key sizes (e.g., 128-bit) for highly sensitive data | Future-proofing risk | Prefer 256-bit keys where performance permits |
| Storing encryption keys on the same server as encrypted data | Single point of compromise | Use HSM, TPM, or cloud KMS |
| Not rotating keys | Long exposure if a key leaks | Automate rotation; monitor for anomalies |
5. Quick Reference Checklist
- Transit
- TLS 1.3 only? ✔️
- Strong cipher suites? ✔️
- HSTS enabled? ✔️
- Rest
- Full-disk encryption on all servers? ✔️
- Database field encryption for PII? ✔️
- Keys in HSM or cloud KMS? ✔️
- Ops
- Certificate rotation schedule defined? ✔️
- Key rotation policy automated? ✔️
- Audit logs reviewed monthly? ✔️
Final Thought
Encryption is not a one-time checkbox; it’s an ongoing process that
blends technology, policy, and vigilance. By hardening both transit and
rest paths with proven algorithms and disciplined key management, you
protect data from the moment it leaves your application to when it sits
idle on disk.
That’s all for today! For deeper dives into specific tools or scripting
tips, keep an eye on Tom’s IT Cafe – we’ll be back soon with more
practical guides.
Tom's IT Cafe 