# Encryption in transit
<a name="encryption-in-transit"></a>

Amazon IoT Greengrass has two modes of communication where data is in transit:
+ [Data in transit over the internet](#data-in-transit-internet). Communication between a Greengrass core and Amazon IoT Greengrass over the internet is encrypted.
+ [Data on the core device](#data-in-transit-locally). Communication between components on the Greengrass core device is not encrypted.

## Data in transit over the internet
<a name="data-in-transit-internet"></a>

Amazon IoT Greengrass uses Transport Layer Security (TLS) to encrypt all communication over the internet. All data sent to the Amazon Web Services Cloud is sent over a TLS connection using MQTT or HTTPS protocols, so it is secure by default. Amazon IoT Greengrass uses the Amazon IoT transport security model. For more information, see [Transport security](https://docs.amazonaws.cn/iot/latest/developerguide/transport-security.html) in the *Amazon IoT Core Developer Guide*.

## Data on the core device
<a name="data-in-transit-locally"></a>

Amazon IoT Greengrass doesn't encrypt data exchanged locally on the Greengrass core device because the data doesn't leave the device. This includes communication between user-defined components, the Amazon IoT device SDK, and public components, such as stream manager.