Data encryption: at rest, in transit, in use — what actually matters

"Our data is encrypted" means very little until you specify in which state — at rest, in transit or in use — and above all who holds the keys. Each state protects against different threats, and encryption without serious key management is insurance on paper only.
Three states, three different threats
Data is always in one of three states: stored on a medium (at rest), moving across a network (in transit), or being processed in a machine's memory (in use). Each state has its own threats: theft or copying of a disk, a tape or a virtual machine image for the first; interception and traffic hijacking for the second; memory reads by malware, a hypervisor administrator or another tenant of a shared platform for the third. Saying "it's encrypted" without naming the state answers a different question.
At rest and in transit: the fundamentals, done well
At rest: necessary, not sufficient
Disk or volume encryption protects against physical theft, hardware recycling and raw copies of a medium. But it is transparent to anything running legitimately: a vulnerable application or a compromised account reads decrypted data like any authorised user. Hence the value of the upper layers — database-level, or even field-level encryption for the most sensitive data — more demanding to operate but effective against an attacker who is already inside. And the perimeter must include what gets forgotten: backups, exports, working copies. An encrypted database whose export lands in cleartext on a file share is not an encrypted database.
In transit: TLS everywhere, including internally
External traffic encryption is a given almost everywhere. The weak spot is internal, "east-west" traffic: between applications and databases, between services, between sites. Many architectures treat the internal network as trusted; one compromised workstation is enough to collapse that assumption and let an attacker listen in. The reasonable target: TLS internally too, certificates inventoried and renewed automatically — an expired certificate causes outages, and the "temporary workarounds" that follow last for years — plus encryption of replication and backup flows, often the richest of all.
In use: the newest link
During processing, data sits in cleartext in memory. That is what confidential computing addresses: hardware enclaves that keep memory encrypted even during execution, effective against the hosting provider itself or a compromised hypervisor. The technology is maturing, but it matters mostly for highly sensitive data processed on shared infrastructure. For most organisations, the question takes another form: choosing hosting where the operator is technically and contractually constrained — the heart of the data sovereignty debate.
Key management: the real subject
The decisive question is not the algorithm — current standards are robust — but: who holds the keys? Whoever holds the keys can read the data, whatever level of encryption is on display. The points to settle: where keys are stored (a dedicated key manager, backed by a hardware security module where needed, never next to the data — otherwise stealing the server means stealing the key); who administers them (the systems administrator must not be the key administrator); how they live (regular rotation, revocation on suspicion); and how the keys themselves are backed up — losing a key means losing the data for good.
With a cloud provider, three models coexist: provider-managed keys (simple, but the provider can technically decrypt), customer-supplied keys, or customer-held keys out of the provider's reach. The right choice depends on data sensitivity and your obligations — and it must appear in black and white in the hosting contract, as our article on DPAs and hosting explains. On the SOVALYX private cloud, those trade-offs are settled contractually: systematic encryption at rest and in transit, and keys under your control when compliance requires it.
The common mistakes at a glance
| Common mistake | Why it is a problem | Better reflex |
|---|---|---|
| "The disk is encrypted, we're covered" | Protects against neither a compromised account nor a vulnerable application | Add database- or field-level encryption for sensitive data |
| Keys stored next to the data | Stealing the server means stealing the key | Separate key manager, distinct access rights |
| TLS on the front door only | Internal traffic can be tapped once one workstation falls | Encrypt internal and replication flows too |
| No certificate inventory | Expiries, outages, "temporary" workarounds that stay | Automated inventory and renewal |
| Backups and exports in cleartext | They concentrate most of the data | Encrypt backups and exports, control their destinations |
| No key-loss plan | A lost key is lost data | A tested key backup and recovery procedure |
How SOVALYX can help
SOVALYX encrypts data at rest and in transit across its entire private cloud, and lets you keep control of your keys when compliance requires it (dedicated KMS, separation of duties). A focused audit quickly surfaces the blind spots — exports, backups, internal traffic. Call +230 5830 3314.
Talk security with an engineer🧰 The companion tool: Would your backups survive a ransomware attack? — free · 2 minutes.
Reviewed and optimised by AI.