What is Encryption in Transit?
Encryption in transit is the practice of encrypting data as it travels between two systems across a network, typically implemented via TLS (Transport Layer Security) or its predecessor SSL, to prevent eavesdropping and tampering.
When data moves across a network — whether the public internet, a corporate LAN, or a cloud provider's internal network — it passes through routers, switches, load balancers, and potentially malicious intermediaries. Without encryption in transit, anyone who can observe the network traffic can read and potentially modify the data.
TLS (commonly seen as HTTPS for web traffic) is the standard protocol for encryption in transit. It establishes an encrypted channel between a client and server using asymmetric key exchange, then transmits data using fast symmetric encryption. TLS protects against passive eavesdropping, active man-in-the-middle attacks, and data tampering.
However, standard TLS encryption in transit has a limitation: the server decrypts the data upon receipt. This means the server operator can read everything. For truly sensitive data, encryption in transit should be combined with end-to-end encryption, so the data remains encrypted even after it reaches the server.
How Vaulted uses Encryption in Transit
Vaulted provides two layers of transit protection. First, all communication between your browser and Vaulted's server uses HTTPS/TLS, encrypting the network channel. Second — and more importantly — the data itself is encrypted client-side with AES-256-GCM before it enters the TLS channel. So even if TLS were somehow compromised, an attacker would capture only ciphertext that they cannot decrypt without the key from the URL fragment.