Cloud encryption types: at rest (data stored on disk), in transit (data moving between services), in use (confidential computing). Key management: CSP-managed or Customer-Managed Keys (CMK).
CMKs give you control — if you delete the CMK, data becomes unreadable. KMS (Key Management Service) handles key storage. Envelope encryption: data key encrypts data, master key encrypts data key.