Data encryption at rest, in transit and in use: what really changes in the cloud

Q: When should I choose customer-managed keys instead of provider-managed keys?

Use customer-managed keys when you need granular control, separation of duties, or detailed audit logs for key usage. Provider-managed keys are suitable for low-risk data and development environments where simplicity matters more than governance.

Encrypting data at-rest, in-transit and in-use in the cloud means applying different controls for disks and backups, network paths and sessions, and live processing in memory or CPUs. In pt_BR scenarios, you typically combine criptografia de dados em repouso na nuvem, TLS everywhere, and confidential computing to reach an acceptable risk level for business workloads.

Core distinctions: at‑rest vs in‑transit vs in‑use

At‑rest encryption protects stored data (disks, snapshots, backups) against physical theft, decommissioning issues and unauthorized access to storage layers.
In‑transit encryption protects data moving over networks (client‑to‑cloud, service‑to‑service, region‑to‑region) against sniffing and manipulation.
In‑use encryption focuses on data being processed (in memory or CPU) using confidential computing or application‑level techniques.
Cloud designs for segurança de dados em trânsito e em repouso cloud are mature; in‑use protection is newer and often limited to high‑sensitivity workloads.
Responsibility is shared: providers secure infrastructure, while you must design keys, access, and application flows correctly.
melhores práticas de criptografia na nuvem aws azure gcp converge on managed keys, default encryption and mutual TLS between services.

Control	At‑rest	In‑transit	In‑use	Priority (pt_BR enterprise)
Default storage encryption	Enable on disks, databases, object storage	Not applicable	Not applicable	High
TLS 1.2+ with strong ciphers	Not applicable	Client and service connections	Not applicable	High
Key management (KMS/HSM)	Master and data keys	Certificates and session keys	Application and enclave keys	High
Network segmentation and zero trust	Limited effect	Service‑to‑service traffic	Reduces attack surface	Medium
Confidential computing / enclaves	Optional for key storage	Optional for secure channels	Primary mechanism	Medium‑High (for regulated workloads)
Application‑level encryption	Field‑level and tokenization	Payload encryption	Controls exposure in memory	Medium

Encryption models and threat vectors by data state

At‑rest, in‑transit and in‑use encryption respond to different threat vectors: lost media, hostile networks, and compromised hosts or admins. soluções de criptografia na nuvem para empresas typically prioritize storage and network first, then evaluate confidential computing for the most sensitive data that cannot tolerate exposure even to the cloud provider.

Map critical data classes (PII, financial, health, source code) and where they reside in your cloud landscape.
Identify legal and sector regulations in Brazil that reference encryption or data localization.
Classify workloads by sensitivity and business impact of a breach.
List existing encryption mechanisms already enabled by your cloud provider.
Decide which environments (prod, staging, dev) require strict segregation and different key sets.

At‑rest threat model and when it is not enough

At‑rest encryption in the cloud mainly mitigates risks of storage media compromise, mis‑handled disk decommissioning, and some insider threats at the provider. It does not by itself protect against an attacker with valid credentials or over‑privileged roles accessing the data through normal APIs.

Assess who can create snapshots, export backups or copy objects across accounts or subscriptions.
Restrict console and API roles that manage encryption keys and storage access.
Plan controls for ex‑employees and third‑party support providers.
Document assumptions about hypervisor and hardware‑level protection from your cloud provider.

In‑transit threat model and its limitations

In‑transit encryption protects against passive sniffing and many man‑in‑the‑middle attacks on the network. However, if endpoints are compromised (malware on client devices or exploited services), TLS alone does not prevent data theft because the attacker sees data after decryption.

Inventory all ingress and egress paths: web, APIs, VPNs, messaging, data pipelines.
Check support for TLS termination inside your VPC/VNet, not at public load balancers only.
Confirm mutual TLS capabilities for internal services and service meshes.
Decide where you need private connectivity (Direct Connect/ExpressRoute/Cloud Interconnect).

In‑use threat model and fit for purpose

In‑use encryption aims to keep data protected even while being processed, typically via confidential computing or isolating parts of memory. It mitigates risks from malicious admins, compromised hypervisors, or certain side‑channel attacks but often adds complexity and is not required for every workload.

Determine which datasets justify confidential computing due to sensitivity or regulation.
Evaluate support for confidential VMs or enclaves in your cloud regions of interest.
Estimate impact on observability, debugging and incident response workflows.
Plan a pilot with one high‑value, contained workload to validate behavior.

Algorithms, protocols and primitives suited to each state

For at‑rest, strong symmetric ciphers (such as AES) dominate; for in‑transit, modern TLS with robust cipher suites and certificate management is standard; for in‑use, you combine application‑level encryption and confidential computing. This section focuses on practical choices usable across AWS, Azure and GCP without becoming crypto‑researchers.

Confirm compliance requirements for algorithms (for example, FIPS‑validated implementations).
Standardize on minimum TLS version and allowed cipher suites across environments.
Define which services must use customer‑managed keys rather than provider‑managed keys.
Collect documentation from cloud providers on confidential computing offerings.
Align with your development teams on supported SDKs and libraries for crypto operations.

At‑rest primitives in common cloud services

Cloud storage services typically use block or file encryption with symmetric ciphers and key hierarchies. You can often choose between provider‑managed keys for simplicity or customer‑managed keys for stronger control and auditability.

Object storage: enable bucket‑level encryption and default key options for uploads.
Block storage: use encrypted volumes for VMs and managed database disks.
Backups and snapshots: ensure copy and export operations preserve encryption.
Customer‑managed keys: plan key aliasing and rotation policies before enabling.

In‑transit protocols and configurations

Criptografia de dados em repouso, em trânsito e em uso: o que muda na nuvem? - иллюстрация

For segurança de dados em trânsito e em repouso cloud, configuring TLS correctly is as important as turning it on. You must enforce encryption on all external interfaces and, ideally, between internal microservices or databases.

Mandate TLS 1.2 or higher, disabling legacy protocols where possible.
Use certificates from reputable CAs or managed certificate services in the cloud.
Enable HSTS and redirect plain HTTP to HTTPS at the edge.
Implement certificate rotation and monitoring for expiry.
Consider mutual TLS for high‑value internal APIs and service mesh deployments.

In‑use encryption and confidential computing options

To responder à pergunta como proteger dados em uso na nuvem confidential computing, you rely on hardware‑backed isolated execution environments combined with encryption for memory and storage of secrets. This reduces the trust you place in the underlying host OS or hypervisor.

Identify which confidential VM types or enclave services exist in your preferred regions.
Check SDK maturity for languages and frameworks used by your teams.
Confirm how attestation works and what your applications must validate.
Plan logging and metrics collection without leaking sensitive content.

Practical key management: generation, storage, rotation, and access

Robust key management is essential to make soluções de criptografia na nuvem para empresas safe and auditable. Poor key handling can convert strong algorithms into weak protection. This section gives a safe, cloud‑friendly sequence suitable for pt_BR organizations moving progressively to stronger control.

Decide which keys will live in managed KMS services and which, if any, require HSMs.
Define key ownership, including security and platform teams responsible for governance.
Plan environments (dev, test, prod) and separate key hierarchies for each.
Inventory services that will consume keys: databases, storage, applications, VPNs.
Review your incident response process for lost or compromised keys.

Design a simple key hierarchy

Create a hierarchy with root or master keys at the top, service or application keys in the middle, and data encryption keys at the bottom. Keep the hierarchy understandable to operations and auditors.
- Separate master keys per environment and sometimes per business unit.
- Limit the number of master keys to reduce management complexity.
Use cloud KMS and HSMs for key generation and storage

Generate cryptographic keys in a managed KMS or HSM rather than on developer machines or generic VMs. This leverages strong entropy sources and hardware protection against extraction.
- Enable key usage policies limiting which services can use each key.
- Restrict admin access to KMS with just‑enough‑privilege roles.
Integrate applications and services with KMS APIs

Configure databases, storage, and application services to use KMS keys via native integrations. Avoid embedding keys in configuration files, code or container images.
- Use instance roles or managed identities for authentication to KMS.
- Test failure modes when KMS is unavailable or permissions change.
Establish rotation policies and automation

Define how often keys are rotated and use automatic rotation where supported. Plan processes for re‑encrypting data or updating configuration to use new keys safely.
- Start with non‑disruptive rotation for wrapping keys and certificates.
- Schedule maintenance windows for large‑scale data re‑encryption if required.
Implement access control and separation of duties

Split responsibilities so that no single person can create, use and rotate keys without oversight. Use RBAC and approval workflows for sensitive operations such as key deletion.
- Grant key usage rights to services, not individuals.
- Log and review administrative actions in KMS regularly.
Monitor, audit and plan for key compromise

Enable detailed logging for key usage and integrate with your SIEM. Prepare runbooks describing steps if a key is suspected compromised, including revocation and data re‑encryption.
- Correlate KMS logs with application and IAM events.
- Conduct periodic exercises to test response procedures.

Cloud provider features, shared responsibility and compliance impact

Cloud platforms provide many building blocks for criptografia de dados em repouso na nuvem and in‑transit protection, but you must configure them correctly and map them to your legal obligations. Understanding shared responsibility boundaries is crucial to pass audits and avoid gaps in coverage.

Confirm which services are encrypted by default, and how this is documented.
Check if your workloads must use customer‑managed keys for regulatory reasons.
Map provider attestations (for example, compliance reports) to your controls matrix.
Verify that backup and disaster‑recovery processes preserve encryption and keys.
Align DPO, legal and security teams on how encryption supports LGPD obligations.

Verification checklist for cloud encryption posture

All storage services (object, block, database, caches) have at‑rest encryption enabled and monitored.
External endpoints enforce HTTPS with modern TLS versions and no plain HTTP endpoints remain.
Internal service calls use TLS, ideally with mutual authentication for sensitive paths.
Customer‑managed keys are used where required, and key policies follow least privilege.
Backups, snapshots and replicated copies maintain encryption and are tested for restore.
Access to KMS and HSM administration is restricted, logged and periodically reviewed.
Confidential computing or hardened isolation is used for high‑sensitivity workloads.
Documentation clearly describes which encryption controls rely on the provider and which on your configuration.
Penetration tests and risk assessments include encryption configuration as a review item.

Performance, scalability and cost trade‑offs in cloud deployments

melhores práticas de criptografia na nuvem aws azure gcp aim to minimize overhead while keeping strong protection. Most managed encryption has modest impact, but custom designs or aggressive application‑level encryption can affect performance, scaling and cloud bills if not planned carefully.

Baseline performance of key workloads before and after enabling stronger encryption.
Engage cloud solution architects to estimate cost impact of KMS calls and CPU usage.
Define SLOs so you can detect if encryption changes hurt user experience.
Pilot heavy changes (like full field‑level encryption) on a narrow workload first.
Monitor KMS usage, network egress and CPU metrics after rollout.

Typical mistakes and how to avoid them

Assuming provider defaults cover all needs, leaving some storage or network paths unencrypted.
Over‑encrypting everything at the application layer without a clear threat model, causing complexity and latency.
Hard‑coding keys or secrets into code, images or configuration files instead of using managed secret stores.
Ignoring key rotation and certificate renewal until an outage or incident occurs.
Underestimating costs from high‑frequency KMS usage in chatty microservices.
Deploying confidential computing without planning observability, making operations and debugging difficult.
Failing to update infrastructure‑as‑code templates, so new resources are created without encryption.
Not training developers and SREs on the practical impact of encryption decisions.

Implementation checklist with reference architectures and mitigations

This section gives concrete cloud patterns for pt_BR organizations and how to use criptografia de dados em repouso na nuvem, in‑transit and in‑use controls together. You can adapt these to AWS, Azure or GCP, following their shared responsibility models and native crypto capabilities.

Pick one or two reference workloads (for example, customer portal and analytics pipeline) for initial implementation.
Document which services and data stores each workload touches, including integrations.
Select required encryption features per service based on risk and regulatory needs.
Prepare infrastructure‑as‑code to enforce encryption as default rather than ad hoc.
Plan validation: penetration testing, configuration review and compliance checks.

Reference architecture 1: public web application with managed database

Consider a typical Brazilian e‑commerce site hosted in AWS, Azure or GCP: a public load balancer, application instances in private subnets, and a managed relational database. Users access via browsers and mobile apps over the internet.

At‑rest: enable encryption for database storage, logs and object storage used for file uploads.
In‑transit: enforce HTTPS at the edge, TLS between load balancer and application, and TLS from apps to the database.
In‑use: consider application‑level encryption for sensitive fields such as card tokens, plus secret management for API keys.

Implementation checklist for reference architecture 1

Configure the load balancer or API gateway to require HTTPS and redirect all HTTP to HTTPS.
Use managed certificates and automate renewal, tracking expiry in monitoring tools.
Enable storage encryption on the managed database with customer‑managed keys where needed.
Turn on server‑side encryption for object storage buckets used by the application.
Store secrets (database passwords, API keys) in a managed secret store, not in environment variables or code.
Implement field‑level encryption for the most sensitive columns and manage keys via KMS.

Reference architecture 2: analytics pipeline with data lake and batch processing

An analytics solution ingests logs and transactional data into a cloud data lake, processes it with batch jobs, and exposes results in BI tools. Data flows across multiple zones and often across accounts or subscriptions.

At‑rest: encrypt data lake buckets, temporary processing storage and metadata catalogs.
In‑transit: protect ingestion endpoints and inter‑service communication across VPC/VNet peering or private links.
In‑use: use application‑level encryption for sensitive attributes and restrict decryption to specific processing jobs.

Implementation checklist for reference architecture 2

Enable default encryption on all data lake buckets and enforce it via policies.
Require TLS on ingestion APIs and configure producers to validate certificates.
Limit which processing jobs can access decryption keys for sensitive datasets.
Segment environments (raw, curated, analytics) and apply different key sets if possible.
Audit all cross‑account sharing and exports to ensure encryption is preserved.

Reference architecture 3: high‑sensitivity workload using confidential computing

For workloads processing health data or government‑related records, you may need to minimize trust in the cloud provider. Confidential VMs or enclaves can ensure even privileged cloud admins cannot inspect data during processing.

At‑rest: use encrypted disks and object storage, preferably with your own keys.
In‑transit: enforce TLS for all inbound and outbound traffic to confidential workloads.
In‑use: deploy services on confidential VMs or enclaves and validate attestation before releasing keys.

Implementation checklist for reference architecture 3

Select confidential VM sizes or enclave services supported in your target regions.
Integrate attestation verification into your applications before decrypting data.
Restrict key release in KMS based on attestation results and workload identity.
Test performance and compatibility with required libraries and frameworks.
Update incident response and monitoring procedures to respect enclave boundaries.

Operational clarifications on applying encryption across states

Do I always need application‑level encryption if storage is encrypted?

No. Storage encryption protects against lost media and some infrastructure threats, but application‑level encryption adds protection if attackers gain logical access. Use it selectively for the highest‑sensitivity fields or where regulations explicitly recommend it.

When should I choose customer‑managed keys instead of provider‑managed keys?

Use customer‑managed keys when you need granular control, separation of duties, or detailed audit logs for key usage. Provider‑managed keys are fine for low‑risk data and development environments where simplicity matters more than governance.

How do I validate that in‑transit encryption is correctly enforced?

Check configuration of load balancers, API gateways and internal services to ensure they require TLS and use modern protocols. Use automated scanners and logs to detect clear‑text connections and failed TLS handshakes.

Is confidential computing required for LGPD compliance in Brazil?

LGPD does not mandate specific technologies like confidential computing. It requires appropriate security measures based on risk. Use confidential computing when risk or contractual obligations justify extra protection for in‑use data.

What happens if I lose access to my encryption keys in the cloud?

If you lose keys without backups or recovery processes, encrypted data may become unreadable. Define key recovery, escrow and rotation procedures in advance, and protect administrative access to KMS carefully.

Can I mix multiple cloud providers and still keep encryption consistent?

Yes, but you must define common policies for algorithms, key lifecycles and access control. Use each provider's native KMS and, where necessary, central governance tools or clear documentation to keep behaviors aligned.

How do I handle performance issues after enabling encryption?

Measure baseline performance, then identify where encryption adds latency or CPU usage. Optimize by using managed services, caching decrypted data carefully, tuning KMS usage patterns and scaling compute resources where needed.