Data In Transit


Data In Transit is one of the Data States for data and describes data that is being transmitted.

Encryption of Data In Transit#

Encryption of Data In Transit happens on the 3rd, 5th, 6th and 7th layer of the OSI-Model.


  • layer 3 is information system independent (at least, it should be)
  • layer 5 through 7 are more depended on what mechanism is chosen in the application layer.
Important here is to know that they are different.

When applying IPsec for IPv4 or IPv6 in your network configuration you will encrypt the payload of every IP-packet. The header of every IP-packet is, for obvious reasons of delivery of the payload, not encrypted. There are also two modus of operandi here. One is host-to-host and the other one is gateway-to-gateway. I tend to say to go for host-to-host whenever possible as the route of encryption is the longest there. IPsec secures your data against unauthorized access on the wire. But anyone that is authorized to the network can see the data (makes sense I guess).

Transport Layer Security (TLS) is probably the best known Protocol to encrypt Data In Transit. TLS takes residence in the presentation and application layer.

TLS is used in HTTP connections (the best known are the web-browsers), known as HTTPS and it is used for FTPS. Do not mistake this with sFTP which uses Secure Shell (SSH) to encrypt the data. SSH has some weaknesses prior to version 2. Secure Socket Layer SSL and every version of it is considered insecure, just as TLS 1.0 and TLS 1.1 are. Do not use those protocols anymore!

In summary, TLS 1.2 and SSH version 2 are safe to use. Therefore HTTPS, FTPS and sFTP and other protocols based on TLS and SSH are also safe to use.

There is also the phenomenon of VPN Virtual Private Network Tunneling on layer 2, 3 and 7. In general every VPN tunnel is insecure when additional security measures are not taken. If you do not trust the underlying network of the VPN tunnel (for instance, the Internet), then you will have to take security measures in the VPN tunnel itself. These measures can be protocols like IPsec in conjunction to Layer 2 Tunneling Protocol (L2TP) or the use of TLS and SSH.

More Information#

There might be more information for this subject on one of the following: