LAUNCHMongoDB 8.3 is built for the sub-100ms retrieval & zero downtime AI demands. Read blog >
AI DATAStop fighting your data layer. Get the memory & retrieval agents need to scale. Read blog >

What Is Data In-Use Encryption?

Try Atlas for free

Key takeaways

  • “Data in use” refers to data actively processed by applications in memory or CPU registers
  • Traditional encryption protects data at rest and data in transit but often leaves data exposed during processing
  • Data in use encryption protects sensitive information while it is actively being processed
  • Technologies such as trusted execution environments, homomorphic encryption, and secure multiparty computation enable encrypted processing
  • Encryption in use helps organizations secure sensitive customer data, support compliance requirements, and protect cloud workloads

Table of contents

What is data in use encryption?

Data in use encryption protects data while it is actively being processed in memory, CPU registers, or secure execution environments.

Organizations generate and process enormous volumes of data every day. That data moves across networks, sits in storage systems, and is actively processed by applications and users. Security strategies typically focus on protecting data at rest and data in transit, yet the moment data is actively being processed often presents the greatest exposure.

As more workloads move to cloud infrastructure and distributed systems, protecting data in use has become a key component of modern data security.

This guide explains what data in use encryption is, how it works, and why it is becoming increasingly important for organizations that handle sensitive data.

What is data in use?

Data in use refers to data that is actively being processed by an application or system. Unlike data stored on disk or transmitted across a network, this data resides temporarily in memory or CPU registers where programs can read and manipulate it.

Examples of data in use include:

  • A database query processing sensitive customer data
  • An application analyzing financial records
  • A machine learning model processing encrypted datasets
  • A web service generating reports from stored data

In traditional systems, data must be decrypted before it can be processed. Once decrypted, the plaintext data exists in system memory, creating a potential vulnerability.

Why data in use requires protection

Historically, encryption focused on two primary states of data:

These protections are essential. However, during active processing, sensitive information often exists in plaintext within memory.

Attackers who gain system-level access may attempt to extract this information through methods such as:

  • Memory scraping
  • Cold boot attacks
  • Compromised operating systems
  • Insider threats
  • Exploits targeting cloud infrastructure

Because data in use is temporarily decrypted during processing, it can become a prime target.

Data in use encryption technologies aim to close this security gap.

How does data in use encryption protect data?

Data in use encryption protects data while it is actively being processed by applications. Instead of exposing plaintext data to the operating system or other processes, secure environments allow computations to occur while the underlying data remains encrypted.

This approach reduces the risk that sensitive information can be accessed or extracted during processing.

Modern implementations rely on specialized hardware features, encryption schemes, or collaborative cryptographic techniques that allow secure processing without exposing the underlying data.

The three states of data

Understanding data in use encryption requires understanding the three states in which data exists.

Data at rest

Data at rest refers to stored data on a storage medium such as databases, cloud backups, or disk drives. Technologies such as disk encryption and full disk encryption protect this state.

Data in transit

Data in transit refers to data moving between systems over a network. Encryption protocols such as TLS secure communications across private networks and public cloud infrastructure.

Data in use

Data in use refers to data actively being processed by software or hardware. Protecting this state requires specialized techniques that allow secure processing without exposing plaintext data.

Each state requires different security controls.

How data in use encryption works

Data in use encryption relies on a combination of hardware, software, and cryptographic techniques.

The goal is to perform operations on encrypted data or within secure environments that prevent unauthorized access.

Common approaches include:

  • Queryable encryption, which allows users to perform keyword searches over encrypted data without decrypting it.
  • Trusted execution environments (TEEs)
  • Memory encryption
  • Homomorphic encryption
  • Secure multiparty computation (Secure Multi-Party Computation (MPC) is a cryptographic approach where multiple parties jointly compute a function without revealing their private inputs.)
  • Format-Preserving Encryption (FPE), which encrypts information while preserving its original format, allowing compatibility with legacy systems.
  • Data Tokenization, which replaces sensitive data with tokens and performs computations on these tokens within secure environments.

Each approach offers different tradeoffs between security, performance, and complexity.

 

ApproachWhat it doesMain benefit
Queryable Encryption Encrypts sensitive fields on the client while still allowing expressive queries (equality, range, prefix/suffix/substring) on the server without exposing plaintext. Strong end-to-end protection (in transit, at rest, and in use) with practical queryability.
Trusted Execution Environments (TEEs)Run code inside isolated CPU enclaves where data is decrypted only within the enclave; OS and other apps can’t inspect it.Protects computations even if the OS or hypervisor is compromised.
Memory EncryptionEncrypts data in RAM; encryption keys are managed by the processor.Reduces risk from direct memory scraping, especially in multi-tenant/cloud environments.
Homomorphic EncryptionAllows computations directly on ciphertext so results decrypt correctly without exposing data during processing.Strong privacy during computation; fully homomorphic variants support arbitrary logic but are still very slow.
Secure Multiparty Computation (MPC) Lets multiple parties jointly compute on their private inputs without revealing them to each other; widely used alongside MPC key management in finance.Enables cross-organization analytics and collaboration without sharing raw data.

Queryable Encryption

Queryable Encryption is a bleeding edge technology which allows you to store sensitive data as fully randomized encrypted data on the server-side and encrypt data on the client side. A key advantage in this technology lies in the fact that users are able to run expressive queries on encrypted data.

Benefits of data in use encryption

Organizations adopt data in use encryption for several key reasons.

Protect sensitive data during processing

Sensitive customer data often passes through multiple systems during processing. Protecting data in use reduces the risk of exposure during these operations.

Enable secure cloud adoption

Cloud providers manage the underlying infrastructure for many workloads. Encryption in use helps ensure that sensitive information remains protected even in shared environments.

Support regulatory compliance

Many international data regulations require strict controls around sensitive information. Protecting data during processing helps organizations meet compliance requirements.

Reduce insider threats

Even authorized users may not require access to underlying data values. Encryption in use can limit exposure while still enabling analysis.

Challenges of data in use encryption

Despite its advantages, data in use encryption introduces several technical challenges.

  1. Performance overhead: Some encryption schemes, particularly fully homomorphic encryption, require significant computational resources.
  2. Complexity: Implementing secure processing environments often requires specialized infrastructure, hardware support, and careful system design.
  3. Legacy systems: Older applications may not support secure processing environments or advanced encryption schemes. Modernizing systems to support encryption in use may require architectural changes.

Common use cases

Data in use encryption is increasingly used in environments that handle sensitive information.

Common examples include:

  • Financial services processing confidential transactions
  • Healthcare systems analyzing sensitive medical records
  • Cloud analytics platforms processing encrypted datasets
  • AI training systems handling sensitive data
  • Collaborative research environments combining proprietary datasets

In each case, organizations want to protect the underlying data while still enabling analysis.

Data in use encryption in cloud infrastructure

Public cloud adoption has accelerated interest in encryption in use.

Cloud infrastructure allows organizations to scale data processing, but it also introduces additional trust boundaries.

Encryption in use can help organizations:

  • Protect sensitive information stored in public cloud systems
  • Reduce the risk of unauthorized access by infrastructure operators
  • Enable confidential computing workloads

Confidential computing platforms combine hardware-based security with encrypted processing environments to protect data throughout its lifecycle.

Best practices for protecting data in use

Organizations implementing encryption in use should consider several best practices.

  • Identify sensitive data: Not all data requires the same level of protection. Identify sensitive information such as customer records, intellectual property, or financial data.
  • Implement layered security: Encryption in use should complement other protections including encryption at rest, encryption in transit, and strong identity controls.
  • Use hardware-based security: Trusted execution environments and secure memory technologies provide strong protection with minimal application changes.
  • Monitor and audit data access: Monitoring access to sensitive data helps detect potential misuse or security incidents.

The future of data in use encryption

Advances in confidential computing, cryptographic techniques, and secure hardware are expanding the practical use of encryption in use.

As organizations increasingly rely on cloud services, distributed systems, and AI workloads, protecting data during processing will become more important.

Research in homomorphic encryption and secure multiparty computation continues to improve performance and scalability.

These advances are expected to make encrypted data processing more accessible across industries.

In use encryption in regards to data sovereignty and GDPR

In use encryption is becoming increasingly popular due to its ability to support compliance with GDPR as well. By encrypting data on the client with customer-managed keys before it ever reaches the database and enabling rich queries on that ciphertext, technologies like MongoDB Queryable Encryption and CSFLE let organizations enforce strict locality and access controls. 

Data can stay logically and jurisdictionally “owned” by the controller even when stored or processed in shared cloud infrastructure.

This directly supports GDPR requirements for data minimization and “appropriate technical and organizational measures” (Article 32), helps reduce exposure in cross-border transfers by ensuring infrastructure providers can’t inspect regulated fields, and gives regulators and auditors a defensible story that only authorized applications—not infrastructure personnel—can ever see personal data in the clear.

Data in use encryption and modern databases

Modern databases increasingly incorporate advanced encryption features to protect sensitive information.

Capabilities such as queryable encryption allow applications to perform queries on encrypted data while limiting exposure of the underlying values.

These technologies help organizations balance strong data protection with application performance and usability.

Combined with encryption at rest and encryption in transit, encryption in use helps create a comprehensive approach to data security.

FAQs

Explore how organizations manage growing volumes of data and prepare their data infrastructure for AI workloads.

Learn how MongoDB's modern database architecture supports flexible data storage, scalability, and application development.

Discover how organizations use MongoDB to power modern applications, analytics platforms, and AI systems.

Understand how MongoDB supports encryption technologies that help protect sensitive data across the data lifecycle.

Learn how encryption protects stored data in databases, disks, and cloud storage environments.

Explore database security practices that help protect sensitive data from unauthorized access and breaches.

Understand key database security concepts, including authentication, access controls, and encryption strategies.

Learn how MongoDB Queryable Encryption allows applications to query encrypted fields while protecting sensitive information.

Get started with Atlas today

Get started in seconds. Our free clusters come with 512 MB of storage so you can play around with sample data and get oriented with our platform.
Try FreeContact sales
GET STARTED WITH:
  • 125+ regions worldwide
  • Sample data sets
  • Always-on authentication
  • End-to-end encryption
  • Command line tools