TLS (Transport Layer Security) encrypts data in transit:
Handshake: Client hello → Server certificate → Key exchange → Encrypted communication. Adds - round trips.
Certificates: Issued by Certificate Authorities. Prove server identity. Let's Encrypt provides free certificates.
TLS termination: Decrypt at load balancer, forward plain HTTP internally. Reduces CPU load on application servers.
mTLS: Mutual TLS. Client also presents certificate. Used for service-to-service authentication in microservices.