What does "encryption in transit" mean, and what doesn't it protect against?

4 minintermediateencryption-in-transittlssecurity-basics

Quick Answer

Encryption in transit protects data while it travels over a network, like TLS does between your browser and a server. It does not protect data once it is stored on disk (that needs encryption at rest), and it does not protect against a compromised endpoint — if the server itself is hacked, TLS cannot help, because the data is decrypted there anyway.

Detailed Answer

"Encryption in transit" describes when data is protected: while it moves across a network, between two endpoints.

[ Browser ] --(encrypted in transit, via TLS)--> [ Server ]
     |                                                |
  data at rest                                   data at rest
  (needs separate                                (needs separate
   protection, e.g.                               protection, e.g.
   disk encryption)                                database encryption)

TLS is a textbook example of encryption in transit. Once the data arrives and is decrypted at the server, TLS's job is done. What happens to the data next is a separate concern.

What encryption in transit does not cover:

  • Data at rest — data sitting in a database, a file, or a backup. That needs its own protection, such as disk-level or database-level encryption.
  • A compromised endpoint — if an attacker breaches the server itself, they can read the data after TLS has already decrypted it. TLS only protects the network path in between, not the endpoints.
  • Application-level bugs — TLS does not stop SQL injection, weak passwords, or a leaked API key. It only secures the transport.
  • The full picture — a secure system layers multiple protections together: encryption in transit, encryption at rest, and solid application security, not just one of them.