Data Encryption Basics

Encryption turns your readable data into scrambled, unreadable text. Even if an attacker intercepts or steals the data, they see nothing useful without the key to decrypt it. Encryption is the lock on your data's safe — it does not stop someone from finding the safe, but it stops them from opening it.

The Secret Message Analogy

Imagine you write a letter and replace every letter with a number: A=1, B=2, C=3, and so on. You send the letter. Someone intercepts it and sees only numbers. Without knowing your substitution rule (the key), they cannot read it. Your recipient knows the rule and decodes it perfectly. Encryption works on the same principle, just with far more complex mathematical transformations.

Encryption at Rest vs. In Transit

Encryption at Rest

Data at rest is data sitting stored on a disk — inside a database, on a file system, in a cloud storage bucket. Encryption at rest scrambles that data so that even if someone steals the physical disk or gets unauthorized access to the storage layer, they cannot read the data without the decryption key.

At Rest Example:
----------------------------------------------
Stored in database without encryption:
Name: Sarah Kim | Card: 4111-1111-1111-1234 | CVV: 321

Stored in database WITH encryption:
Name: 7f2a9c1e... | Card: 3b8f0d72... | CVV: 9e14a3...

Attacker copies the database → sees only gibberish
----------------------------------------------

Encryption in Transit

Data in transit is data moving over a network — from your browser to a server, between cloud services, or across data centers. Encryption in transit wraps that data in a secure tunnel so that anyone sniffing network traffic cannot read it.

HTTPS — the padlock you see in your browser — is encryption in transit. It uses a protocol called TLS (Transport Layer Security). Without TLS, anyone on the same Wi-Fi network as you can read what you send and receive.

In Transit Example:
----------------------------------------------
Without TLS:
Browser → "Password: hunter2" → Network → Server
Anyone on the network sees: Password: hunter2

With TLS:
Browser → "x9#kL2@mR..." → Network → Server
Anyone on the network sees: x9#kL2@mR... (useless)
----------------------------------------------

Symmetric vs. Asymmetric Encryption

Symmetric Encryption

Symmetric encryption uses the same key to encrypt and decrypt data. It is fast and efficient — ideal for encrypting large amounts of data at rest. The challenge is securely sharing that key with the people who need it. AES (Advanced Encryption Standard) is the most widely used symmetric algorithm.

Asymmetric Encryption

Asymmetric encryption uses two mathematically linked keys — a public key and a private key. You share your public key with everyone. Anyone uses it to encrypt a message to you. Only your private key (which you never share) can decrypt it. This is how TLS establishes a secure connection. RSA and ECC are common asymmetric algorithms.

Asymmetric Key Analogy:
----------------------------------------------
Public key  = A padlock you hand out to everyone
Private key = The unique key only you carry

Anyone can lock a box with your padlock.
Only you can unlock it.
----------------------------------------------

Cloud Encryption in Practice

All major cloud providers offer built-in encryption features. AWS encrypts S3 storage buckets with AES-256. Azure encrypts all data in Storage by default. Google Cloud encrypts all customer data at rest automatically. Even so, you must verify that these features are enabled and configured correctly — especially for sensitive workloads where you manage your own encryption keys.

What You Should Always Encrypt

  • Databases containing personal data, financial records, or health information
  • File storage buckets with sensitive documents
  • All API traffic between services (use HTTPS / TLS)
  • Backup files and archived data
  • Secrets such as passwords, API keys, and certificates (use a secrets manager, not plain text files)

Encryption Strength: Algorithm and Key Length

AlgorithmTypeKey LengthUse Case
AES-256Symmetric256 bitsData at rest
RSA-2048Asymmetric2048 bitsKey exchange, TLS
TLS 1.3Protocol (uses both)N/AData in transit

Key Terms to Know

  • AES: Advanced Encryption Standard — the global standard for symmetric encryption.
  • TLS: Transport Layer Security — the protocol that encrypts internet traffic (HTTPS uses TLS).
  • Public Key: An encryption key shared openly; used to encrypt data that only the private key holder can decrypt.
  • Plaintext: Unencrypted, readable data.
  • Ciphertext: Encrypted, scrambled data.

What You Learned

Encryption protects data in two states: at rest (stored) and in transit (moving). Symmetric encryption uses one key for both operations — fast and ideal for storage. Asymmetric encryption uses a key pair — ideal for key exchange and securing connections. Cloud providers encrypt data by default, but you remain responsible for verifying configurations and managing your own keys for sensitive data.

Leave a Comment

Your email address will not be published. Required fields are marked *