Encryption at rest / in transit

Encryption converts data into a form unreadable without a key. "In transit" protects data moving across networks (that's TLS); "at rest" protects data sitting on disks, databases, and backups so a stolen drive or breached storage bucket yields ciphertext, not records. Most compliance frameworks expect both, and most cloud providers offer at-rest encryption by default — the work is verifying it's on and that keys are managed sensibly.