Well-Architected Framework
Protect data in transit
Data in transit is any data moving between resources within your environment, including incoming and outgoing data from external services. By protecting your data in transit, you protect the confidentiality and integrity of the data within your environment.
Why protect data in transit
Many people think of data in transit as data moving across the public internet, but data in transit also includes data moving between services within your environment. Protecting data in transit is critical to prevent unauthorized access and ensure the integrity of your data. Protecting data in transit is important because:
Prevent data interception and tampering: When data moves between systems without encryption, malicious actors can intercept, read, or modify it before it reaches the destination using a technique known as a man-in-the-middle attack. Unprotected network traffic exposes passwords, API tokens, and sensitive business data to anyone with access to the network path.
Enforce authentication between communicating services: Encryption alone does not verify that a connection reaches the intended destination. Without mutual authentication, services cannot confirm they are communicating with a trusted peer rather than an impersonator. Mutual TLS (mTLS) addresses this by requiring both sides of a connection to present and validate certificates before exchanging data.
Manage cryptographic complexity at scale: As your infrastructure grows, managing TLS certificates, cipher suite upgrades, and key rotation across many services becomes operationally expensive. Centralizing encryption key management reduces the risk of misconfiguration and makes it easier to respond when cryptographic algorithms are deprecated or compromised.
TLS for client-to-server communication
Human client-to-machine communication is the first hop of data in transit, most commonly by using HTTPS instead of HTTP with a certificate. TLS/SSL certificates encrypt traffic between web browsers, CLI tools such as cURL, and API endpoints. You can also use TLS to secure other protocols, including FTP (FTPS), IMAP (IMAPS), POP3 (POP3S), and SMTP (SMTPS). FTPS is not the same as SFTP, which uses the SSH protocol.
The HTTP is not secure because someone (man-in-the-middle) can intercept the traffic and insert malicious code before forwarding it to the user's browser. The Transport Layer Security (TLS) protocol solves this problem by allowing the client to verify the identity of the server and allows the server to verify the identity of the client. TLS v1.3 is recommendedbecause it provides stronger security through improved encryption algorithms and patches known vulnerabilities. TLS v1.3 also offers better performance with faster connection times and enhanced privacy protections.
Protect yourself by verifying that your browser supports TLS v1.3. Additionally, you can identify whether a site supports HTTP Strict Transport Security (HSTS) to protect against man-in-the-middle attacks using the Qualys SSL Server Test. Most web browsers show if a website uses TLS encryption, usually with a lock icon on the address bar.
Encrypt data in transit with Vault
Encrypting data sent across the public network is a common practice to protect highly sensitive data. However, managing the encryption key introduces operational overhead. An organization may require a specific type of encryption key. Vault's Transit secrets engine supports a number of key types to encrypt and decrypt your in-transit data. The Transit secrets engine can also manage the encryption key lifecycle to relieve the operational burden.
The Transit secrets engine handles cryptographic functions on in-transit data. Vault does not store any data sent to the Transit secrets engine. You can think of the Transit secrets engine as providing "cryptography as a service" or "encryption as a service". The Transit secrets engine can sign and verify data, generate hashes and HMACs of data, and act as a source of random bytes.
For more advanced use cases, such as encoding credit card numbers, data transformation and tokenization are more desirable data protection methods. Vault's Transform secrets engine, available in Vault Enterprise or HCP Vault Dedicated, provides data encryption service similar to the Transit secrets engine. The key difference is that you can specify the format of the resulting ciphertext using the Transform secrets engine's format-preserving encryption (FPE) feature.
Encrypt data in transit with Consul
Unencrypted cross-application communications are susceptible to man-in-the-middle attacks. An application can protect itself against malicious activities by requiring mTLS (mutual TLS) on both ends of the application to application communications.
HashiCorp Consul enables mTLS by default for services enrolled in the service mesh (machine-to-machine). Even legacy apps can use mTLS through local Consul proxies that intercept network traffic as parts of a service mesh. A service mesh architecture lets Consul enforce mTLS across clouds and platforms. Centralizing TLS management in Consul eliminates the slow, error-prone process of updating the TLS version in each application individually.
Consul automatically encrypts communications within the service mesh with mTLS. You should also secure traffic entering and leaving the service mesh. Two common entry points for inbound traffic are the Ingress Gateway and the API Gateway. To secure inbound traffic to these gateways, you can enable TLS on ingress gateways, and enable TLS on the API gateway listeners. For outbound traffic to services outside the mesh, terminating gateways terminate mTLS connections, enforce service intentions, and forward requests to external destinations.
HashiCorp resources
- Learn how to classify your data before applying in-transit protection requirements
- Protect data at rest alongside in-transit protections for defense in depth
- Read the Transit secrets engine documentation for supported key types and configuration
- Learn to use the transit secrets engine for encryption as a service
- Learn to use the Transform secrets engine for format-preserving encryption of sensitive values
- Update Consul agents to communicate with TLS
- Enable TLS on ingress gateways to secure traffic entering the service mesh
- Enable TLS on API gateway listeners to secure inbound API traffic
External resources
- Verify your browser supports TLS v1.3
- Check your domain's SSL/TLS configuration with the Qualys SSL Server Test
Next steps
In this section of how to Secure data, you learned how to protect data as it moves across the network using TLS for client-to-server communication, Vault's Transit secrets engine for encryption as a service, and Consul service mesh mTLS for service-to-service communication. Protecting data in transit is part of the Secure systems pillar.
Visit the following documents to continue building your data protection strategy:
- Protect data at rest to implement storage encryption strategies for classified data
- Tokenize data to replace sensitive values such as credit card numbers or patient records with non-sensitive tokens
- Use policy as code to enforce encryption requirements across your infrastructure