Interview › Security & DevSecOps
What is encryption at rest versus in transit, and how do you ensure both? [Advanced]
Answer
Encryption at rest protects stored data such as disks, databases, backups, and object storage. Encryption in transit protects data moving across networks using protocols such as TLS or mTLS. A secure system needs both because data is exposed in different states.
Technical explanation
At-rest encryption usually uses KMS-managed keys, database TDE, disk encryption, backup encryption, or object-store encryption.
In-transit encryption uses TLS for client-server traffic and mTLS when both sides authenticate each other.
Key management, certificate lifecycle, and access control are as important as the encryption algorithm.
Hands-on example
Checklist: enable S3 SSE-KMS, EBS encryption by default, RDS encryption, encrypted backups, TLS-only listeners, HSTS for web apps, internal mTLS for service mesh traffic, and automated certificate rotation through cert-manager or the cloud provider.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]