Someone calls asking about encryption and you want to send them one link. This is that link.
Two Different Problems
Encryption is often talked about as one thing, but it actually solves two separate problems depending on where your data is at the time.
Encryption in transit protects data while it is moving. When you visit a website, send an email, or connect to a VPN, your data travels across networks you do not control. Anyone sitting between you and the destination could read it if it is not encrypted.
Encryption at rest protects data while it is sitting still. When your laptop is off, your drive is physically removed, or your USB stick is lost, encryption at rest is what stops someone from reading your files by plugging the drive into another machine.
Neither one covers the other. You can have perfect encryption in transit and still lose all your data if someone steals your unencrypted laptop. You can have a fully encrypted drive and still have your passwords intercepted if you are sending them over plain HTTP.
In Transit: What It Looks Like in Practice
Every time you see https:// in your browser, TLS is encrypting the connection between your browser and the server. The data is scrambled in a way that only your browser and the server can read.
SSH connections work the same way. When you connect to a server over SSH, the connection is encrypted end to end. Your password or key never travels in plain text.
A VPN encrypts all traffic between your device and the VPN endpoint. This is useful on public Wi-Fi, but it does not make you anonymous and it does not protect the data once it leaves the VPN server on its way to the destination.
Without encryption in transit, the following are readable by anyone on the same network:
- Passwords entered on plain HTTP sites
- Email sent over unencrypted SMTP
- Any file transferred over plain FTP
At Rest: What It Looks Like in Practice
Full disk encryption means the entire drive is encrypted when the machine is powered off. LUKS on Linux, FileVault on macOS, and VeraCrypt on any platform can do this. When you power on, you enter a passphrase and the drive decrypts.
Container encryption means you create an encrypted volume as a file. You mount it when you need it, work with the files inside, then unmount it. VeraCrypt does this well on all platforms.
File-level encryption means individual files or folders are encrypted. This is more granular but also more work to manage.
Without encryption at rest:
- A stolen laptop gives full access to every file on it
- A removed hard drive can be read on any other machine
- Cloud storage backups that get breached expose plain text files
Quick Reference
| Situation | What Protects You |
|---|---|
| Sending data over a network | Encryption in transit (TLS, SSH, VPN) |
| Laptop gets stolen | Encryption at rest (LUKS, FileVault, VeraCrypt) |
| USB drive is lost | Encryption at rest |
| Logging into a website | In transit (HTTPS) |
| Files stored on a server | At rest |
| Remote admin access | In transit (SSH) |
This Series
- Encryption in Transit: TLS, HTTPS, SSH, and VPN (COMING SOON)
- Encryption at Rest: Linux (COMING SOON)
- Encryption at Rest: Windows (COMING SOON)
- Encryption at Rest: macOS (COMING SOON)
Related
- BitLocker and Microsoft Accounts: Why Your Encryption Keys Aren’t Really Yours
- Microsoft Locked Out VeraCrypt, WireGuard, and Windscribe: What Happened and Why It Matters
Questions about your specific setup? Post below and we will work through it.