# Data encryption in Amazon IoT SiteWise
<a name="data-encryption"></a>

Data encryption refers to protecting data while in-transit (as it travels to and from Amazon IoT SiteWise, and between SiteWise Edge gateways and servers), and at rest (while it is stored on local devices or in Amazon services). You can protect data in transit using Transport Layer Security (TLS) or at rest using client-side encryption. 

**Note**  
Amazon IoT SiteWise edge processing exposes APIs that are hosted within SiteWise Edge gateways and accessible over the local network. These APIs are exposed over a TLS connection backed by a server-certificate owned by the Amazon IoT SiteWise Edge connector. For client authentication, these APIs use an access-control password. The server-certificate private-key and the access-control password are both stored on disk. Amazon IoT SiteWise edge processing relies on file-system encryption for the security of these credentials at rest.

For more information about server-side encryption and client-side encryption, review the topics listed below.

**Topics**
+ [Encryption at rest in Amazon IoT SiteWise](encryption-at-rest.md)
+ [Data encryption in transit for Amazon IoT SiteWise](encryption-in-transit.md)
+ [Key management in Amazon IoT SiteWise](key-management.md)