0
0
HLDsystem_design~12 mins

Encryption at rest and in transit in HLD - Architecture Diagram

Choose your learning style9 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale
System Overview - Encryption at rest and in transit

This system ensures that all data is securely protected both when stored (at rest) and while moving between components (in transit). It uses encryption techniques to prevent unauthorized access and maintain data confidentiality and integrity.

Architecture Diagram
User
  |
  v
Load Balancer
  |
  v
API Gateway
  |
  v
Application Service
  |
  v
Encrypted Database
  ^
  |
Encrypted Cache

Data flows between components are encrypted during transit and data stored in databases and caches is encrypted at rest.
Components
User
client
Initiates requests to the system
Load Balancer
load_balancer
Distributes incoming requests evenly to API Gateway instances
API Gateway
api_gateway
Handles client requests, terminates TLS, and forwards requests securely
Application Service
service
Processes business logic and accesses data securely
Encrypted Database
database
Stores data encrypted at rest to protect from unauthorized access
Encrypted Cache
cache
Stores frequently accessed data encrypted at rest for fast retrieval
Request Flow - 7 Hops
UserLoad Balancer
Load BalancerAPI Gateway
API GatewayApplication Service
Application ServiceEncrypted Cache
Application ServiceEncrypted Database
Application ServiceAPI Gateway
API GatewayUser
Failure Scenario
Component Fails:Encrypted Database
Impact:Data writes fail and fresh reads cannot be served from database; cache can still serve stale encrypted data
Mitigation:Use database replication and failover to maintain availability; cache serves stale data until database recovers
Architecture Quiz - 3 Questions
Test your understanding
Which component is responsible for terminating the encrypted connection from the user?
AApplication Service
BLoad Balancer
CAPI Gateway
DEncrypted Database
Design Principle
This architecture demonstrates the principle of securing data both in transit using TLS encryption and at rest using encryption on storage components. It ensures confidentiality and integrity throughout the data lifecycle while maintaining system availability through caching and replication.