What does "encryption in transit" mean, and what doesn't it protect against?
4 minintermediateencryption-in-transittlssecurity-basics
Quick Answer
Encryption in transit protects data while it travels over a network, like TLS does between your browser and a server. It does not protect data once it is stored on disk (that needs encryption at rest), and it does not protect against a compromised endpoint — if the server itself is hacked, TLS cannot help, because the data is decrypted there anyway.
Detailed Answer
"Encryption in transit" describes when data is protected: while it moves across a network, between two endpoints.
[ Browser ] --(encrypted in transit, via TLS)--> [ Server ]
| |
data at rest data at rest
(needs separate (needs separate
protection, e.g. protection, e.g.
disk encryption) database encryption)
TLS is a textbook example of encryption in transit. Once the data arrives and is decrypted at the server, TLS's job is done. What happens to the data next is a separate concern.
What encryption in transit does not cover:
- Data at rest — data sitting in a database, a file, or a backup. That needs its own protection, such as disk-level or database-level encryption.
- A compromised endpoint — if an attacker breaches the server itself, they can read the data after TLS has already decrypted it. TLS only protects the network path in between, not the endpoints.
- Application-level bugs — TLS does not stop SQL injection, weak passwords, or a leaked API key. It only secures the transport.
- The full picture — a secure system layers multiple protections together: encryption in transit, encryption at rest, and solid application security, not just one of them.