Encryption Essentials: Protecting Your Data at Rest and in Transit

Encryption transforms readable data (plaintext) into unreadable data (ciphertext) using a mathematical algorithm and a key. Only someone with the correct key can decrypt it back.

Analogy: Think of a lockbox. Encryption is putting a message in the box and locking it. The key is the only way to open it. The strength of the lock determines how hard it is to break in.

Two fundamental types:

Symmetric encryption (one key):

• Same key encrypts and decrypts
• Fast and efficient for large amounts of data
• Challenge: How do you securely share the key?
• Examples: AES-256, ChaCha20

Asymmetric encryption (two keys):


• Public key encrypts, private key decrypts (or vice versa for signing)
• Solves the key-sharing problem
• Slower, used for small amounts of data or key exchange

In practice, both are used together: Asymmetric encryption securely exchanges a symmetric key, then symmetric encryption handles the bulk data transfer (this is how TLS/HTTPS works).

AES-256 (Advanced Encryption Standard):

• The global standard for symmetric encryption
• Used by governments, military, and financial institutions
• 256-bit key = 2^256 possible combinations (more than atoms in the observable universe)
• Modes matter: AES-GCM (authenticated) > AES-CBC > AES-ECB (never use ECB)

ChaCha20-Poly1305:


• Alternative to AES, designed by Daniel J. Bernstein
• Faster in software (where hardware AES acceleration isn't available)
• Used in WireGuard VPN, TLS 1.3, and many modern protocols

RSA:


• Established asymmetric algorithm, minimum 2048-bit keys (4096 recommended)
• Being gradually replaced by elliptic curve algorithms
• Still widely used for code signing and CA certificates

Elliptic Curve Cryptography (ECC):


• Smaller keys with equivalent security: 256-bit ECC ≈ 3072-bit RSA
• Ed25519 for signatures, X25519 for key exchange
• Modern standard for SSH keys, TLS, and new protocols

Post-Quantum Cryptography:


• Quantum computers threaten RSA and ECC (Shor's algorithm)
• NIST standardized ML-KEM (Kyber) and ML-DSA (Dilithium) in 2024
• Hybrid approaches (traditional + post-quantum) are being deployed now

TLS (Transport Layer Security) encrypts data traveling between your browser and a website.

How TLS works (simplified):

1. Browser connects to server and says "Hello, I support these ciphers"
2. Server responds with its certificate and chosen cipher
3. Browser verifies the certificate against trusted CAs
4. Both parties perform a key exchange (ECDHE) to create a shared secret
5. All subsequent data is encrypted with that shared key (AES-GCM or ChaCha20)

TLS versions:


• TLS 1.3 (current) — Faster handshake, stronger ciphers, no legacy baggage

How to verify:

HTTPS everywhere:

Data at rest means data stored on disk — files, databases, backups.

Full-disk encryption (FDE):

• Windows: BitLocker (Pro/Enterprise) — use AES-256, XTS mode
• macOS: FileVault 2 — AES-256 XTS, enabled by default on newer Macs
• Linux: LUKS/dm-crypt — standard for Linux full-disk encryption
• Mobile: iOS and Android encrypt by default when you set a passcode

File-level encryption:


• 7-Zip: AES-256 encrypted archives (free, open-source)
• Cryptomator: Encrypts files before uploading to cloud storage
• VeraCrypt: Create encrypted volumes/containers
• age: Modern, simple command-line file encryption

Cloud storage encryption:


• Most cloud providers encrypt at rest but hold the keys
• Zero-knowledge providers: Tresorit, SpiderOak, Proton Drive
• Encrypt before upload: Use Cryptomator with any cloud provider
• Backups: Ensure your backup software encrypts with a key you control

Database encryption:


• Transparent Data Encryption (TDE) for SQL Server, PostgreSQL
• Application-level encryption for sensitive fields (SSN, health data)

End-to-end encryption means only the sender and recipient can read the content — not even the service provider.

How E2EE works:

1. Each user has a key pair (public + private)
2. Messages are encrypted with the recipient's public key
3. Only the recipient's private key can decrypt
4. The server only sees encrypted blobs — it cannot read content

E2EE messaging:


• Signal — Gold standard, open-source Signal Protocol

E2EE email:

E2EE file sharing:

Limitations of E2EE: