What is data encryption at rest and in transit?

Encryption at rest protects stored data — files, databases, backups — from unauthorized access if the physical media is stolen or the storage system is compromised. Implementations: Full disk encryption (BitLocker, LUKS — encrypts entire drive), database encryption (TDE — Transparent Data Encryption in SQL Server/PostgreSQL), file-level encryption, object storage encryption (AWS S3 SSE). Encryption in transit protects data moving over a network from interception or tampering. Implementations: TLS/HTTPS for web traffic, SSH for remote administration, SFTP/FTPS for file transfer, VPN for network tunnels, TLS for database connections (always enable SSL for database connections even on internal networks). Both are required by most compliance frameworks (PCI-DSS, HIPAA, GDPR). Encryption at rest alone doesn't protect against a running compromised system — combine with access controls.