Encryption In Transit And At Rest

Why this matters

As a Backend Engineer, you handle sensitive traffic and data. Strong encryption prevents eavesdropping, tampering, and data exposure if disks or backups leak. You will:

• Enable HTTPS/TLS for APIs and dashboards.
• Secure service-to-service calls with mTLS.
• Encrypt databases, files, and backups at rest.
• Design key rotation and respond to incidents safely.
• Meet compliance expectations (e.g., “encrypt in transit and at rest”).

Concept explained simply

Encryption in transit protects data while it moves between clients and services. Think of a private tunnel: outsiders can see packets moving, but not the contents.

Encryption at rest protects stored data (databases, disks, backups). Think of a locked safe: even if someone steals the safe, they can’t open it without the key.

Mental model

• Data states: moving (in transit) vs. sitting (at rest).
• Keys unlock data: protect keys more than the data.
• Layers: use TLS for the wire; use disk/DB/application encryption for storage. Layers complement each other.
• Rotation: assume keys age out. Plan to replace without downtime.

Worked examples

Example 1 — HTTPS API hardening

Goal: Serve an API only over TLS with modern settings and automatic HTTP→HTTPS redirect.

1. Use TLS 1.2 and 1.3 only. Disable old protocols/ciphers.
2. Redirect port 80 to 443 permanently.
3. Enable HSTS so browsers prefer HTTPS.
4. Enable OCSP stapling so clients can verify revocation efficiently.

Example 2 — mTLS between services

Goal: Only trusted services communicate. Both sides use certificates issued by your internal CA.

1. Create a private CA (root) and issue per-service leaf certs.
2. Each service trusts the CA (not each other directly).
3. Server verifies client cert; client verifies server cert and hostname/SAN.
4. Rotate certs regularly; keep overlap windows for zero-downtime rotation.

Example 3 — At-rest encryption with envelope pattern

Goal: Encrypt a column like ssn with per-record DEKs and a KEK held by KMS.

1. Generate a random 256-bit DEK per record.
2. Encrypt data with AES-256-GCM using a unique 96-bit nonce. Include AAD (e.g., tenant_id, table, column, version).
3. Encrypt the DEK with KMS (KEK) → eDEK.
4. Store ciphertext, nonce, tag, eDEK, alg, version with the record.
5. To decrypt: KMS decrypt eDEK → DEK; then AES-GCM decrypt and verify tag.

Setup checklist

• [ ] All public endpoints force HTTPS with TLS 1.2+
• [ ] HSTS enabled after verifying HTTPS stability
• [ ] Internal service calls use TLS; high-trust paths use mTLS
• [ ] Databases/disks/backups encrypted at rest
• [ ] Sensitive fields use application-level encryption where needed
• [ ] Key rotation plan tested; old keys retired safely
• [ ] Secrets and keys never logged; access is auditable

Exercises

Note: Everyone can take exercises and the quick test. Only logged-in users will see saved progress.

Common mistakes and self-check

• Using outdated TLS (1.0/1.1). Self-check: scan your endpoints; your server config should only advertise TLS 1.2/1.3.
• Not validating hostnames in TLS. Self-check: ensure clients verify SAN/hostname and full chain.
• Reusing nonces with AES-GCM. Self-check: code generates a new 96-bit nonce per encryption.
• Storing keys with the data. Self-check: keys live in KMS/HSM or a separate secrets manager.
• Relying only on full-disk encryption. Self-check: sensitive columns also use application-level encryption when required.
• No rotation plan. Self-check: document and test KEK rotation and certificate rotation.
• Logging secrets or decrypted payloads. Self-check: log redaction enabled; access logs avoid sensitive values.

Practical projects

• Wrap an existing REST API with HTTPS and HSTS, then run a TLS scan locally to verify protocols/ciphers.
• Add application-level encryption to one sensitive column using envelope encryption with a mock KMS interface.
• Encrypt backups before upload; verify restore requires keys and integrity checks.

Who this is for

• Backend Engineers building user-facing or internal APIs.
• Platform/Infra Engineers responsible for service mesh and certificates.
• Developers handling sensitive data (PII, credentials, tokens).

Prerequisites

• Basic networking and HTTP knowledge.
• Familiarity with your web server (e.g., Nginx) or load balancer.
• Comfort with a programming language for sample code (any is fine).

Learning path

1. Master TLS basics: certificates, chains, host validation.
2. Set up HTTPS for public endpoints.
3. Add mTLS for internal service-to-service calls.
4. Implement at-rest encryption: disk/TDE, then field-level where needed.
5. Introduce envelope encryption and automate key rotation.
6. Add monitoring and incident runbooks.

Next steps

• Complete the exercises above and validate locally.
• Take the quick test below to lock in concepts.
• Pick one practical project and ship it this week.

Mini challenge

Configure mTLS between two local services and rotate one service certificate without downtime. Prove success by showing both old and new certs can connect during the overlap window, then only the new cert works after cutoff.