In 2023, IBM's Cost of a Data Breach Report found that organizations using encryption extensively saved an average of $360,000 per breach. Yet in my years working in security operations, I've seen far too many environments where database volumes sit unencrypted and internal services still communicate over plaintext HTTP. Let's fix that—systematically, practically, and with configurations you can actually take back to your infrastructure.
Why "At Rest" and "In Transit" Are Two Distinct Problems
Data at rest refers to information stored on disk—databases, backups, log archives, virtual machine images. Data in transit is information moving across a network, whether between a user's browser and your web server or between two microservices in your backend. Each state presents a different attack surface: a stolen hard drive exposes data at rest, while a man-in-the-middle attack targets data in transit. A mature security posture demands you address both.
Encrypting Data at Rest
Full-Disk Encryption with LUKS
For Linux servers, LUKS (Linux Unified Key Setup) remains the gold standard. If you're provisioning new servers, encrypt volumes at creation time:
# Create an encrypted partition
sudo cryptsetup luksFormat /dev/sdb1
# Open the encrypted volume
sudo cryptsetup luksOpen /dev/sdb1 secure_volume
# Create a filesystem and mount
sudo mkfs.ext4 /dev/mapper/secure_volume
sudo mount /dev/mapper/secure_volume /mnt/encrypted_dataFor enterprise environments, integrate LUKS with a key management solution like HashiCorp Vault or AWS KMS rather than relying on passphrase-based unlocking. Automate decryption at boot using Tang and Clevis for Network Bound Disk Encryption (NBDE), which ensures volumes only decrypt when connected to your trusted network.
Database-Level Encryption
Full-disk encryption protects against physical theft, but it won't help if an attacker gains OS-level access—the mounted filesystem is already decrypted. Layer in Transparent Data Encryption (TDE) at the database level:
-- PostgreSQL: enable TDE with pg_tde extension
-- MySQL/MariaDB: enable tablespace encryption
ALTER TABLE customers ENCRYPTION='Y';Key takeaway: Treat encryption as defense in depth. Disk-level and application-level encryption serve different threat models.
Encrypting Data in Transit
TLS Everywhere—Including Internal Traffic
External-facing TLS is table stakes. The harder discipline is enforcing encryption for east-west traffic between internal services. Start by deploying certificates across your infrastructure using a private CA. Tools like step-ca or HashiCorp Vault PKI make this manageable:
# Generate a certificate using step CLI
step ca certificate "api.internal.example.com" \
server.crt server.key --provisioner admin
# Configure Nginx to enforce TLS
server {
listen 443 ssl;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_protocols TLSv1.3;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
}Force TLS 1.3 wherever possible. Disable TLS 1.0 and 1.1 aggressively—they've been deprecated by RFC 8996.
Service Mesh for Zero-Trust Encryption
In containerized environments, a service mesh like Istio or Linkerd provides mutual TLS (mTLS) between all pods without requiring application code changes. This is the most scalable approach to east-west encryption in Kubernetes:
# Istio PeerAuthentication: enforce strict mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICTKey Management: The Part Everyone Forgets
Encryption is only as strong as your key management. Never store encryption keys alongside the data they protect. Centralize key management using Vault, AWS KMS, or Azure Key Vault. Rotate keys on a defined schedule, and ensure your rotation process is automated and tested—a key rotation that causes a production outage will be the last one anyone attempts willingly.
Final Checklist for Your Environment
- ✅ Encrypt all volumes with LUKS or BitLocker and integrate with centralized key management
- ✅ Enable TDE on databases holding sensitive data
- ✅ Enforce TLS 1.3 on all external and internal endpoints
- ✅ Deploy mTLS for service-to-service communication
- ✅ Audit quarterly: scan for plaintext protocols with tools like
nmap --script ssl-enum-ciphers
Encryption isn't a checkbox—it's an operational discipline. Start with your highest-risk data stores, expand methodically, and never stop auditing.
Have questions about encryption for data at rest and in transit? I'm always happy to talk shop — reach out or connect with me on LinkedIn.