Protect data in transit

Data in transit is any data moving between systems, such as passwords, secrets, and keys. In-transit data includes data moving between resources within your organization, and incoming and outgoing data with services outside your organization. By protecting your data in transit, you protect the confidentiality and integrity of the data within your organization.

Why should you protect data in transit?

Protecting data in-transit is important because a malicious actor can intercept or alter data during transmission if not properly secured. Common security measures include using encryption protocols like TLS to ensure confidentiality and integrity while the data is being transferred.

TLS for client server communication

Human client-to-machine communication is the first hop of data in transit, most commonly by using HTTPS instead of HTTP with a certificate. TLS/SSL certificates encrypt traffic between web browsers, CLI tools like cURL, and API endpoints. - using HTTPS instead of HTTP. You can also use TLS to secure FTP (FTPS, not to be confused with SFTP, which uses the SSH protocol), IMAP (IMAPS), POP3 (POP3S), and SMTP (SMTPS), among others.

HTTP is dangerous because someone (man-in-the-middle) can intercept the traffic and insert malicious code before forwarding it to the user's browser. The Transport Layer Security (TLS) protocol solves this problem by allowing the client to verify the identity of the server and allows the server to verify the identity of the client. You should use the latest TLS version (v1.3) because it provides stronger security through improved encryption algorithms and patches known vulnerabilities. It also offers better performance with faster connection times and enhanced privacy protections.

Protect yourself by verifying that your browser supports TLS v1.3. Additionally, you can identify whether a site supports HTTP Strict Transport Security (HSTS) to protect against man-in-the-middle attacks using the Qualys SSL Server Test. Most web browsers show if a website uses TLS encryption, usually with a lock icon on the address bar.

Encrypt data in-transit with Vault

Encrypting data sent across the public network is a common practice to protect highly sensitive data. However, managing the encryption key introduces operational overhead. An organization may require a specific type of encryption key. Vault's Transit secrets engine supports a number of key types to encrypt and decrypt your in-transit data. The Transit secrets engine can also manage the encryption key lifecycle to relieve the operational burden.

The Transit secrets engine handles cryptographic functions on in-transit data. Vault doesn't store any data sent to the Transit secrets engine. You can think of the Transit secrets engine as providing "cryptography as a service" or "encryption as a service". The Transit secrets engine can sign and verify data, generate hashes and HMACs of data, and act as a source of random bytes.

For more advanced use cases, like encoding credit card numbers, data transformation and tokenization are more desirable data protection methods. Vault's Transform secrets engine, available in Vault Enterprise or HCP Vault Dedicated, provides data encryption service similar to the Transit secrets engine. The key difference is that the users can specify the format of the resulting ciphertext using the Transform secrets engine's format-preserving encryption (FPE) feature.

Encrypt data in-transit with Consul

Unencrypted cross-application communications are susceptible to man-in-the-middle attacks. An application can protect itself against malicious activities by requiring mTLS (mutual TLS) on both ends of the application to application communications.

HashiCorp Consul automatically enables mTLS for all communication between application services (machine-to-machine). Even legacy apps can use mTLS through local Consul proxies that intercept network traffic as parts of a service mesh. A service mesh architecture lets Consul enforce mTLS across clouds and platforms. Consul automatically generates signed certificates, and lets you rapidly and comprehensively upgrade TLS versions and cipher suites in the future. This process helps resolve the typical slow process of updating the TLS version in your application.

Consul automatically encrypts communications within the service mesh with mTLS. You should also secure outside traffic entering the service mesh. Two common entry points for traffic into the Consul Service mesh are the Ingress Gateway and the API Gateway. To secure inbound traffic to these gateways, you can enable TLS on ingress gateways, and enable TLS on the API gateway listeners.

HashiCorp resources:

• Vault's Transit secrets engine
• Encryption as a service: transit secrets engine
• Data encryption
• Transform secrets engine
• Update Consul agents to securely communicate with TLS
• Enable TLS on ingress gateways
• Enable TLS on API gateway listeners

External resources:

• Verify your browser supports TLS v1.3
• View Qualys SSL Server Test on hashicorp.com

Next steps

In this section of how to Secure data, you learned about how to secure and encrypt data in transit using HashiCorp Vault to encrypt data before writing it to the applications primary storage service and how to use HashiCorp Consul to encrypt data between services using a service mesh. Protect data in transit is part of the Secure systems pillar.