End of support notice: On October 7th, 2026, AWS will discontinue support for AWS IoT Greengrass Version 1. After October 7th, 2026, you will no longer be able to access the AWS IoT Greengrass V1 resources. For more information, please visit [Migrate from AWS IoT Greengrass Version 1](https://docs.aws.amazon.com/greengrass/v2/developerguide/migrate-from-v1.html).
# Data encryption
AWS IoT Greengrass uses encryption to protect data while in-transit (over the internet or local network) and at rest (stored in the AWS Cloud).
Devices in a AWS IoT Greengrass environment often collect data that's sent to AWS services for further processing. For more information about data encryption on other AWS services, see the security documentation for that service.
**Topics**
+ [Encryption in transit](encryption-in-transit.md)
+ [Encryption at rest](encryption-at-rest.md)
+ [Key management for the Greengrass core device](key-management.md)
# Encryption in transit
AWS IoT Greengrass has three modes of communication where data is in transit:
+ [Data in transit over the internet](#data-in-transit-internet). Communication between a Greengrass core and AWS IoT Greengrass over the internet is encrypted.
+ [Data in transit over the local network](#data-in-transit-local-network). Communication between a Greengrass core and client devices over a local network is encrypted.
+ [Data on the core device](#data-in-transit-locally). Communication between components on the Greengrass core device is not encrypted.
## Data in transit over the internet
AWS IoT Greengrass uses Transport Layer Security (TLS) to encrypt all communication over the internet. All data sent to the AWS Cloud is sent over a TLS connection using MQTT or HTTPS protocols, so it is secure by default. AWS IoT Greengrass uses the AWS IoT transport security model. For more information, see [Transport security](https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html) in the *AWS IoT Core Developer Guide*.
## Data in transit over the local network
AWS IoT Greengrass uses TLS to encrypt all communication over the local network between the Greengrass core and client devices. For more information, see [Supported Cipher Suites for Local Network Communication](gg-sec.md#gg-cipher-suites).
It is your responsibility to protect the local network and private keys.
For Greengrass core devices, it's your responsibility to:
+ Keep the kernel updated with the latest security patches.
+ Keep system libraries updated with the latest security patches.
+ Protect private keys. For more information, see [Key management for the Greengrass core device](key-management.md).
For client devices, it's your responsibility to:
+ Keep the TLS stack up to date.
+ Protect private keys.
## Data on the core device
AWS IoT Greengrass doesn't encrypt data exchanged locally on the Greengrass core device because the data doesn't leave the device. This includes communication between user-defined Lambda functions, connectors, the AWS IoT Greengrass Core SDK, and system components, such as stream manager.
# Encryption at rest
AWS IoT Greengrass stores your data:
+ [Data at rest in the AWS Cloud](#data-at-rest-cloud). This data is encrypted.
+ [Data at rest on the Greengrass core](#data-at-rest-device). This data is not encrypted (except local copies of your secrets).
## Data at rest in the AWS Cloud
AWS IoT Greengrass encrypts customer data stored in the AWS Cloud. This data is protected using AWS KMS keys that are managed by AWS IoT Greengrass.
## Data at rest on the Greengrass core
AWS IoT Greengrass relies on Unix file permissions and full-disk encryption (if enabled) to protect data at rest on the core. It is your responsibility to secure the file system and device.
However, AWS IoT Greengrass does encrypt local copies of your secrets retrieved from AWS Secrets Manager. For more information, see [Secrets encryption](secrets.md#secrets-encryption).
# Key management for the Greengrass core device
It's the responsibility of the customer to guarantee secure storage of cryptographic (public and private) keys on the Greengrass core device. AWS IoT Greengrass uses public and private keys for the following scenarios:
+ The IoT client key is used with the IoT certificate to authenticate the Transport Layer Security (TLS) handshake when a Greengrass core connects to AWS IoT Core. For more information, see [Device authentication and authorization for AWS IoT Greengrass](device-auth.md).
**Note**
The key and certificate are also referred to as the core private key and the core device certificate.
+ The MQTT server key is used the MQTT server certificate to authenticate TLS connections between core and client devices. For more information, see [Device authentication and authorization for AWS IoT Greengrass](device-auth.md).
+ The local secrets manager also uses the IoT client key to protect the data key used to encrypt local secrets, but you can provide your own private key. For more information, see [Secrets encryption](secrets.md#secrets-encryption).
A Greengrass core supports private key storage using file system permissions, [hardware security modules](hardware-security.md), or both. If you use file system-based private keys, you are responsible for their secure storage on the core device.
On a Greengrass core, the location of your private keys are specified in the `crypto` section of the `config.json` file. If you configure the core to use a customer-provided key for the MQTT server certificate, it is your responsibility to rotate the key. For more information, see [AWS IoT Greengrass core security principals](gg-sec.md#gg-principals).
For client devices, it's your responsibility to keep the TLS stack up to date and protect private keys. Private keys are used with device certificates to authenticate TLS connections with the AWS IoT Greengrass service.