Database Encryption: At Rest, In Transit, In Use
Database encryption is table stakes; the layer specifics matter for both threat model and compliance.
Three encryption layers
At rest: data on disk encrypted.
In transit: data over network encrypted.
In use: data in memory encrypted (rare; TEEs).
Threat model per layer
- At rest: protects against stolen disk.
- In transit: protects against network sniffing.
- In use: protects against compromised host (rare attacks; growing).
Performance cost
At rest: 1-3% overhead with hardware support; effectively zero with managed services.
In transit: 5-15% overhead for handshake; near-zero for steady-state.
In use: significant; only used for highest-stakes data.
Regulatory drivers
SOC 2: at-rest + in-transit table stakes.
HIPAA, PCI: same plus key management.
New regs (EU AI Act): more emphasis on in-use for ML data.
Antipatterns
- Encryption without key rotation. Drift over years.
- Same key for everything. Compromise = total.
- In-use encryption when not required. Premature complexity.
What to do this week
Three moves. (1) Apply this pattern to your most-loaded table. (2) Measure query latency / write throughput before/after. (3) Document the win and the constraint so the next refactor inherits the knowledge.