🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Security & Hardening

Encryption at Rest and in Transit on Linux: Complete Guide (2026)

Dorian Thorne | April 11, 2026 | 22 min read | 2 views
sql
Encryption at Rest and in Transit on Linux: Complete Guide (2026)

Data encryption is the last line of defense — even if attackers breach your perimeter, properly encrypted data remains unreadable without the decryption keys. This guide covers both encryption at rest (protecting stored data) and encryption in transit (protecting data moving across networks).

Encryption at Rest

1. Full Disk Encryption with LUKS

# Encrypt a partition
sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup open /dev/sdb1 encrypted_data
sudo mkfs.ext4 /dev/mapper/encrypted_data
sudo mount /dev/mapper/encrypted_data /mnt/secure

# Add to /etc/crypttab for auto-mount
echo "encrypted_data /dev/sdb1 none luks" >> /etc/crypttab

# Add a backup key
sudo cryptsetup luksAddKey /dev/sdb1

# Check LUKS header info
sudo cryptsetup luksDump /dev/sdb1

# Benchmark encryption performance
sudo cryptsetup benchmark

2. File-Level Encryption with GPG

# Generate a GPG key pair
gpg --full-generate-key --expert
# Choose: ECC (Curve 25519), 0 = no expiration

# Encrypt a file
gpg --encrypt --recipient admin@company.com sensitive-data.tar.gz

# Decrypt
gpg --decrypt sensitive-data.tar.gz.gpg > sensitive-data.tar.gz

# Symmetric encryption (password-based)
gpg --symmetric --cipher-algo AES256 backup.tar.gz

# Batch encryption of multiple files
find /data/sensitive -type f -name "*.sql" \
  -exec gpg --batch --yes --encrypt --recipient admin@company.com {} \;

3. Database Encryption

# PostgreSQL: Enable SSL connections
# postgresql.conf
ssl = on
ssl_cert_file = "/etc/ssl/certs/server-cert.pem"
ssl_key_file = "/etc/ssl/private/server-key.pem"
ssl_min_protocol_version = "TLSv1.3"

# pg_hba.conf - Force SSL for all connections
hostssl all all 0.0.0.0/0 scram-sha-256

# Column-level encryption with pgcrypto
CREATE EXTENSION pgcrypto;

-- Encrypt sensitive data
INSERT INTO users (email, ssn_encrypted) VALUES (
  "user@example.com",
  pgp_sym_encrypt("123-45-6789", "encryption_key")
);

-- Decrypt
SELECT pgp_sym_decrypt(ssn_encrypted::bytea, "encryption_key") FROM users;

Encryption in Transit

4. TLS Configuration for Nginx

# /etc/nginx/conf.d/ssl-hardened.conf

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# Certificate with Let"s Encrypt
certbot --nginx -d example.com -d www.example.com

# Test SSL configuration
# https://www.ssllabs.com/ssltest/

5. WireGuard VPN Tunnel

# Install WireGuard
sudo apt install wireguard

# Generate keys
wg genkey | tee server-private.key | wg pubkey > server-public.key

# Server configuration
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = 10.10.0.1/24
PrivateKey = $(cat server-private.key)
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.10.0.2/32
EOF

# Start VPN
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

# Verify connection
sudo wg show

6. Mutual TLS (mTLS) for Services

# Generate CA
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
  -keyout ca-key.pem -out ca-cert.pem -days 365 -nodes \
  -subj "/CN=Internal CA"

# Generate server certificate
openssl req -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
  -keyout server-key.pem -out server-csr.pem -nodes \
  -subj "/CN=api.internal"
openssl x509 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem -days 90

# Generate client certificate
openssl req -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
  -keyout client-key.pem -out client-csr.pem -nodes \
  -subj "/CN=webapp"
openssl x509 -req -in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out client-cert.pem -days 90

# Test mTLS connection
curl --cert client-cert.pem --key client-key.pem \
  --cacert ca-cert.pem https://api.internal:8443/health

Recommended Reading

Master security and encryption:

Download our Linux Encryption Cheat Sheet for a printable quick-reference guide.

Share this article:
Dorian Thorne
About the Author

Dorian Thorne

Cloud Infrastructure, Cloud Architecture, Infrastructure Automation, Technical Documentation

Dorian Thorne is a cloud infrastructure specialist and technical author focused on the design, deployment, and operation of scalable cloud-based systems.

He has extensive experience working with cloud platforms and modern infrastructure practices, including virtualized environments, cloud networking, identity and acces...

Cloud Computing Cloud Networking Identity and Access Management Infrastructure as Code System Reliability
View all books

Related Articles

Stay Updated

Subscribe to our newsletter for the latest tutorials, tips, and exclusive offers.