Encryption

Encryption is a fundamental security control that protects data from unauthorized access, whether stored on disk, transmitted over networks, or processed in memory.

Why it matters

• Protects sensitive data even if storage or transmission is compromised.
• Required by virtually all compliance frameworks (HIPAA, PCI-DSS, GDPR).
• Enables secure communication over untrusted networks.
• Provides non-repudiation through digital signatures.

Types of encryption

• Symmetric: Same key encrypts and decrypts (AES, ChaCha20). Fast, used for bulk data.
• Asymmetric: Public key encrypts, private key decrypts (RSA, ECC). Used for key exchange and signatures.
• Hashing: One-way transformation for integrity verification (SHA-256). Not encryption but related.

Encryption contexts

• Data at rest: Encrypting stored data (disk encryption, database encryption).
• Data in transit: Protecting network communications (TLS, VPNs).
• Data in use: Emerging techniques like homomorphic encryption, secure enclaves.

Common algorithms

• AES-256: Industry standard symmetric encryption, considered quantum-resistant.
• RSA-2048/4096: Widely used asymmetric encryption, being phased out for ECC.
• ECC (Elliptic Curve): Smaller keys, same security as larger RSA keys.
• ChaCha20-Poly1305: Modern alternative to AES, faster on devices without AES hardware.

Key management

• Keys must be protected as carefully as the data they encrypt.
• Use Hardware Security Modules (HSMs) for key storage.
• Implement key rotation policies.
• Separate key management from encrypted data.
• Plan for key recovery and escrow scenarios.

Common mistakes

• Using weak or deprecated algorithms (DES, MD5, SHA-1).
• Hardcoding encryption keys in source code.
• Improper initialization vector (IV) handling.
• Not encrypting all copies of sensitive data (backups, logs).
• Confusing encoding (Base64) with encryption.