Data encryption: at rest, in transit, in use — what actually matters

· 4 min read · SOVALYX Technologies

SHARE

"Our data is encrypted" means very little until you specify in which state — at rest, in transit or in use — and above all who holds the keys. Each state protects against different threats, and encryption without serious key management is insurance on paper only.

Three states, three different threats

Data is always in one of three states: stored on a medium (at rest), moving across a network (in transit), or being processed in a machine's memory (in use). Each state has its own threats: theft or copying of a disk, a tape or a virtual machine image for the first; interception and traffic hijacking for the second; memory reads by malware, a hypervisor administrator or another tenant of a shared platform for the third. Saying "it's encrypted" without naming the state answers a different question.

At rest and in transit: the fundamentals, done well

At rest: necessary, not sufficient

Disk or volume encryption protects against physical theft, hardware recycling and raw copies of a medium. But it is transparent to anything running legitimately: a vulnerable application or a compromised account reads decrypted data like any authorised user. Hence the value of the upper layers — database-level, or even field-level encryption for the most sensitive data — more demanding to operate but effective against an attacker who is already inside. And the perimeter must include what gets forgotten: backups, exports, working copies. An encrypted database whose export lands in cleartext on a file share is not an encrypted database.

In transit: TLS everywhere, including internally

External traffic encryption is a given almost everywhere. The weak spot is internal, "east-west" traffic: between applications and databases, between services, between sites. Many architectures treat the internal network as trusted; one compromised workstation is enough to collapse that assumption and let an attacker listen in. The reasonable target: TLS internally too, certificates inventoried and renewed automatically — an expired certificate causes outages, and the "temporary workarounds" that follow last for years — plus encryption of replication and backup flows, often the richest of all.

During processing, data sits in cleartext in memory. That is what confidential computing addresses: hardware enclaves that keep memory encrypted even during execution, effective against the hosting provider itself or a compromised hypervisor. The technology is maturing, but it matters mostly for highly sensitive data processed on shared infrastructure. For most organisations, the question takes another form: choosing hosting where the operator is technically and contractually constrained — the heart of the data sovereignty debate.

Key management: the real subject

The decisive question is not the algorithm — current standards are robust — but: who holds the keys? Whoever holds the keys can read the data, whatever level of encryption is on display. The points to settle: where keys are stored (a dedicated key manager, backed by a hardware security module where needed, never next to the data — otherwise stealing the server means stealing the key); who administers them (the systems administrator must not be the key administrator); how they live (regular rotation, revocation on suspicion); and how the keys themselves are backed up — losing a key means losing the data for good.

With a cloud provider, three models coexist: provider-managed keys (simple, but the provider can technically decrypt), customer-supplied keys, or customer-held keys out of the provider's reach. The right choice depends on data sensitivity and your obligations — and it must appear in black and white in the hosting contract, as our article on DPAs and hosting explains. On the SOVALYX private cloud, those trade-offs are settled contractually: systematic encryption at rest and in transit, and keys under your control when compliance requires it.

The common mistakes at a glance

Common mistakeWhy it is a problemBetter reflex
"The disk is encrypted, we're covered"Protects against neither a compromised account nor a vulnerable applicationAdd database- or field-level encryption for sensitive data
Keys stored next to the dataStealing the server means stealing the keySeparate key manager, distinct access rights
TLS on the front door onlyInternal traffic can be tapped once one workstation fallsEncrypt internal and replication flows too
No certificate inventoryExpiries, outages, "temporary" workarounds that stayAutomated inventory and renewal
Backups and exports in cleartextThey concentrate most of the dataEncrypt backups and exports, control their destinations
No key-loss planA lost key is lost dataA tested key backup and recovery procedure

How SOVALYX can help

SOVALYX encrypts data at rest and in transit across its entire private cloud, and lets you keep control of your keys when compliance requires it (dedicated KMS, separation of duties). A focused audit quickly surfaces the blind spots — exports, backups, internal traffic. Call +230 5830 3314.

Talk security with an engineer

🧰 The companion tool: Would your backups survive a ransomware attack? — free · 2 minutes.

Reviewed and optimised by AI.