A method and apparatus for real-time in-line encryption of data transmitted over a serial channel from a source device to a target device. An encryption unit includes logic configured to receive data packets including headers with control information and data on the channel, which may be a fiber channel bus, serial ATA, serial SCSI, USB or the like. The encryption unit encrypts the data and passes the control information to the target device along with the encrypted data. The encryption unit may filter, convert or reject predetermined commands or types of information in the header to prevent covert channel transmissions. There may be one or multiple source devices, e.g. host computers, and one or multiple target devices, e.g. storage systems, configured in a variety of network topologies. The encryption unit also decrypts data and remaps control information transmitted from the target device(s) to the source device(s).