← Concepts
General Security ConceptsSY0-701 · Task 1.4

Encryption levels — SY0-701

Learn the three encryption levels — at rest, in transit, in use — for CompTIA Security+ SY0-701, with NIST-grounded definitions and the key exam trap.

WHAT IT IS

Encryption is "the cryptographic transformation of data to produce ciphertext" (NIST CNSSI 4009-2015, from ISO/IEC 7498-2). The term encryption levels — as tested in CompTIA Security+ Domain 1, Task 1.4 — refers to where in a system that transformation is applied: to data while it is stored (at rest), while it is moving across a network (in transit), or while it is actively being processed (in use). Each level calls for a different technical control; selecting the wrong level leaves data exposed in the gaps where the chosen control does not operate.

Mental model

Think of data as a physical document. Locking it in a safe protects it at rest. Sealing it in a tamper-evident courier bag protects it in transit. Protecting it while someone reads it on their desk — so a bystander cannot see it — is the in-use problem, which traditional encryption does not solve. The level describes which desk, bag, or safe is being secured.

When to use it

LevelWhat is protectedTypical controls (grounded in NIST usage)What it does NOT protect
At restStored data — on disk, tape, or removable mediaFull disk encryption (FDE); volume encryption; file/folder encryptionData once it leaves storage and is in active use in memory
In transitData moving between systems across a networkTransport Layer Security (TLS), described by NIST SP 800-57 Part 2 Rev.1 as "an authentication and security protocol widely implemented in browsers and web servers"Data after it is written to storage at the destination
In useData actively loaded into memory and being processedHardware-based confidential-computing approaches (an active area of standards work; controls here are not the same as for the other two levels)Data once it is written back to storage or sent over the network

Key decision trigger on the exam: match the threat scenario to the gap the control does not cover. A laptop protected by FDE is protected at rest but its decrypted contents in memory are not protected by that same control once the system is booted and unlocked.

COMMON MISCONCEPTION

The specific trap is conflating encryption in transit with end-to-end protection. TLS — which NIST SP 800-63-4 defines as a protocol that "delivers confidentiality, server-side certificate authentication, and client-side certificate authentication" — protects data between two communicating endpoints. It does not protect that data once it is decrypted and written to disk at the receiving end, and it does not protect data in memory at either endpoint. Candidates who reason "the data is encrypted with TLS, so it is protected" miss that TLS is a single-level control applied only while the data is in motion between those two specific endpoints.

A second common error is treating encryption as a complete security solution independent of key management. NIST SP 800-57 Part 1 Rev. 5 defines key management as "the activities involving the handling of cryptographic keys and other related security parameters during the entire life cycle of the keys." The cryptographic transformation is only as trustworthy as the handling of the key that controls it — a fact that exam scenarios about improperly stored or shared keys are designed to test.

How it shows up on the exam

The cognitive target is application: given a scenario describing where data is vulnerable, candidates must identify which encryption level addresses that gap — or recognize that the control described does not address the described threat.

Signal phrases to watch for:

  • "data stored on a laptop" or "lost USB drive" — at-rest controls are in scope
  • "intercepted on the network" or "packet capture" — in-transit controls are in scope
  • "data is being processed" or "loaded into memory" — in-use is the gap; candidates often confuse this with at-rest protection

A common misconception exploited in scenario questions is assuming that enabling one level of encryption automatically covers the other levels. Each level is an independent control boundary.

Related concepts

  • Public Key Infrastructure — the trust framework that underpins certificate-based authentication used in in-transit encryption protocols
  • Symmetric Encryption — the key type typically used for bulk data encryption at rest and in transit
  • Asymmetric Encryption — the key type used for key exchange and authentication in protocols like TLS

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.