- at rest (database, cache, storage, secrets)
- in transit (client traffic and service-to-service traffic)
At-Rest Encryption
- PostgreSQL storage encryption (managed DB encryption or encrypted volumes)
- Redis encryption where supported by your managed/runtime option
- object storage encryption for cold storage buckets/containers
- encrypted secret backends for credentials and keys
In-Transit Encryption
- TLS 1.2+ for all public endpoints
- internal service encryption where required by policy
- encrypted links to managed Postgres/Redis when available
Key Management
- use dedicated secret managers or encrypted K8s secret workflows
- rotate encryption/signing keys on a defined schedule
- keep key access restricted to least privilege identities
Best Practices
Deployment hardening checklist and operational controls