Encryption in Transit
Encryption in transit is the practice of encrypting data as it travels across a network — between a client and server, or between internal services — so it cannot be read or tampered with if intercepted.
Definition
Encryption in transit is the practice of encrypting data as it travels across a network — between a client and server, or between internal services — so it cannot be read or tampered with if intercepted.
Overview
Whenever data moves — a browser submitting a login form, an API call between microservices, or a file syncing to cloud storage — it passes through networks that may include untrusted intermediaries. Encryption in transit, most commonly implemented using TLS (the successor to SSL), wraps that data in an encrypted channel so that even if an attacker intercepts the traffic in a man-in-the-middle attack, they see only unreadable ciphertext rather than the actual content. HTTPS (HTTP over TLS) is the most familiar example, but encryption in transit also applies to email (via STARTTLS), internal service-to-service communication (often via mutual TLS in a service mesh), VPN tunnels, and database connections. TLS establishes a secure session using asymmetric cryptography to exchange keys, then switches to faster symmetric encryption for the actual data transfer, combining the strengths of both approaches. Along with encryption at rest, encryption in transit is considered a baseline security control and is explicitly required or strongly implied by nearly every major compliance framework, including PCI DSS and HIPAA.
Key Concepts
- Encrypts data as it moves across networks between systems
- Most commonly implemented via TLS (HTTPS, secure email, mutual TLS)
- Protects against interception in man-in-the-middle scenarios
- Combines asymmetric key exchange with faster symmetric encryption
- Applies to client-server, service-to-service, and VPN traffic
- Required or strongly implied by most compliance frameworks