Encryption, TLS, and Secrets Management
Encryption Types
| Type | Purpose | Examples |
|---|---|---|
| In transit | Protect data on the network | TLS/HTTPS, mTLS between services |
| At rest | Protect stored data | AES-256 disk encryption, encrypted DB columns |
| End-to-end | Only sender/receiver can read | Signal protocol, WhatsApp |
TLS (Transport Layer Security)
// TLS handshake (simplified):
1. Client → Server: "Hello, I support TLS 1.3, these ciphers"
2. Server → Client: certificate (proves identity) + chosen cipher
3. Key exchange (Diffie-Hellman): both derive shared secret
4. All subsequent data encrypted with shared secret
// Adds ~1 RTT to connection setup (TLS 1.3)
mTLS (Mutual TLS)
Both client AND server present certificates. Used for service-to-service auth in microservices (Istio does this automatically).
Secrets Management
- Never store secrets in code or git
- Use: HashiCorp Vault, AWS Secrets Manager, K8s Secrets (encrypted)
- Rotate secrets regularly
- Principle of least privilege: each service gets only the secrets it needs
Key Takeaways
- TLS everywhere: all network communication must be encrypted
- mTLS for service-to-service authentication (zero-trust)
- Secrets in vault/secrets manager, never in code
- Encrypt at rest for compliance and defense-in-depth