What is Encryption? At Rest, In Transit, and In Use – the Complete Beginner's Guide

INTRODUCTION

Encryption is one of those words that appears in every privacy policy, security audit, and vendor proposal – yet almost nobody can explain what it actually does. This guide covers everything from first principles: what encryption is, the three states of data it can protect, and why the third state is the one most organisations have never heard of.

No prior technical knowledge required.

‍

‍

WHAT IS ENCRYPTION?

Encryption is the process of transforming readable data (plaintext) into an unreadable form (ciphertext) using a mathematical function and a secret value called a key. Only someone with the correct key can reverse the process and read the original data.

A practical analogy: imagine a document written in a language that only you and the recipient know. Anyone who intercepts it sees nonsense. Only the recipient – with knowledge of the language – reads the message.

In computing, modern encryption (specifically AES-256) is so mathematically complex that a supercomputer attempting to guess the key by brute force would take longer than the age of the universe.

‍

‍

THE THREE STATES OF DATA

‍

State 1: Data at rest

Data at rest is data stored on a disk, database, USB drive, or any persistent storage medium. When it is not being accessed, it is "resting." Encrypting data at rest means that even if someone physically steals the hard drive, they cannot read its contents without the decryption key. This is the most widely deployed form of encryption. Almost all modern cloud storage services encrypt data at rest by default.

What it protects against: physical theft of storage media, unauthorised access to backup files, data exposure from decommissioned hardware.

‍

State 2: Data in transit

Data in transit is data moving across a network – from your browser to a server, from one server to another, from a mobile app to a database. Encrypting data in transit (typically using TLS – Transport Layer Security) means that even if someone intercepts the data mid-journey, they cannot read it. The padlock icon in your browser indicates TLS encryption is active. Nowadays this is also used nearly everywhere.

What it protects against: network eavesdropping, man-in-the-middle attacks, packet sniffing on public Wi-Fi.

‍

State 3: Data in use – the gap

Data in use is data actively being processed by a computer. When a database runs a query, when a server renders a web page, when an application performs a calculation – the data must be decrypted and loaded into memory (RAM) for the processor to work with it.

This is the unprotected dimension. While data is in use, it exists as plaintext in RAM. Anyone with access to that memory – a cloud administrator, a compromised hypervisor, malicious software with elevated privileges – can read it.

This is the data-in-use gap. And it is the attack vector behind many of the most significant breaches of the past decade.

‍

‍

WHY THE DATA-IN-USE GAP MATTERS

Consider a hospital using a cloud provider to run patient record queries. The records are encrypted on disk (at rest) and encrypted during transfer to the cloud (in transit). But when the cloud runs the actual query – reading patient data, processing it, returning results – the data is decrypted in the cloud provider's memory.

The cloud provider's infrastructure administrators can, in theory, access that memory. So can any malicious actor who has compromised the hypervisor layer. The hospital's encryption has a backdoor.

This is not a theoretical concern. Healthcare data breaches, financial data exposure, and intellectual property theft have all exploited the data-in-use gap.

‍

‍

THE SOLUTION: CONFIDENTIAL COMPUTING

Confidential computing is a new security approach that closes the data-in-use gap. Using hardware-based Trusted Execution Environments (TEEs), it keeps data encrypted in memory even while the CPU is actively processing it.

The encryption key resides inside the CPU hardware itself and never leaves. The data is decrypted and re-encrypted at the processor boundary in nanoseconds, invisible to the operating system, the hypervisor, and the cloud provider.

This is the third lock – the one that completes continuous encryption across all three states of data.

‍

‍

SUMMARY

• Data at rest → encrypted on disk → protects against storage theft
• Data in transit → encrypted across the network → protects against interception
• Data in use → encrypted in memory (confidential computing) → protects against compromised infrastructure and privileged access.

‍

‍