[clue] Securing data in transit/at rest.

[David L. Anselmi]

Quentin Hartman wrote:
> Just to pile on from Aaron, many people refer to this as the distinction
> between "security in transit" and "security at rest". They are useful
> phrases for talking about this sort of thing. Ideally you really want to
> have both, but whether or not it matters for your application is unknown.

So I have a file to send you.  It will go on your server using an account that I can log in to.  You 
have complete and sole control over the server and every right to the data in the file.  You have 
contracted with me to keep the file secret from everyone.

My concern is the file's confidentiality from everyone except you.

Does that make sense?

Given the above, why do I care whether the file is encrypted (at rest on your end)?  (Obviously it 
has to be encrypted in transit.)

So you might say that other people could have access to the files on your server (perhaps it's 
hosted by someone else, or you might worry that it could be compromised some day).  In that case 
encrypting the file keeps it away from those other people (as long as you keep your key secure).

But then encrypting the file is *your* requirement, not mine.  To me, the file is equally secure 
whether I encrypt it or not because I'm giving it to you alone and you're going to keep it secret 
(per our contract).

Is that reasonable?  Or should we argue about it tomorrow night? :-)

Dave