Encryption
Encryption transforms readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and a key. Only parties with the correct decryption key can reverse the process. Encryption is the foundational control for data confidentiality across all security domains.
Symmetric Encryption
Uses the same key for both encryption and decryption. Fast and efficient for large volumes of data.
Recommended Algorithms
| Algorithm | Key Size | Mode | Notes |
|---|---|---|---|
| AES | 256-bit | GCM | Gold standard โ authenticated encryption |
| AES | 256-bit | CBC + HMAC-SHA256 | Acceptable where GCM is unavailable |
| ChaCha20-Poly1305 | 256-bit | โ | Preferred on mobile / low-power devices |
Avoid: DES, 3DES, RC4, Blowfish, AES-ECB.
Why not ECB mode? ECB encrypts identical plaintext blocks to identical ciphertext blocks, leaking structural patterns. Always use an authenticated mode (GCM, CCM) or CBC with a separate MAC.
Key Distribution Problem
Symmetric encryption requires both parties to share the key securely before communication begins. This is typically solved by using asymmetric encryption to exchange the symmetric key (hybrid encryption).
Asymmetric Encryption
Uses a mathematically linked key pair: a public key (freely distributed) for encryption or signature verification, and a private key (kept secret) for decryption or signing.
Recommended Algorithms
| Algorithm | Key Size | Use Case |
|---|---|---|
| RSA-OAEP | 3072-bit+ | Key encapsulation, legacy TLS |
| ECDSA / EdDSA | P-256 / Ed25519 | Digital signatures |
| ECDH / X25519 | โ | Key agreement (TLS, Signal Protocol) |
Avoid: RSA-2048 for new systems (NIST recommends 3072+ post-2030), plain RSA (no padding), DSA.
Hybrid Encryption
In practice, all modern protocols combine both approaches:
- Sender generates a random symmetric session key.
- Session key is encrypted with the recipient's public key (asymmetric).
- Data is encrypted with the session key (symmetric โ fast for bulk data).
- Recipient decrypts the session key with their private key, then decrypts the data.
Examples: TLS 1.3, PGP, Signal Protocol, SSH.
Encryption in Transit
Protects data moving between systems โ networks, APIs, microservices, browsers.
Protocol Selection
| Protocol | Status | Notes |
|---|---|---|
| TLS 1.3 | Required | Current standard; use exclusively for new systems |
| TLS 1.2 | Acceptable | Disable weak cipher suites; enable PFS |
| TLS 1.1 | Deprecated | Disable immediately |
| TLS 1.0 | Deprecated | Disable immediately |
| SSL 3.0 / 2.0 | Prohibited | POODLE, DROWN โ critical vulnerabilities |
Cipher Suite Guidance (TLS 1.2)
Prefer cipher suites that provide Perfect Forward Secrecy (PFS):
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Disable: RC4, export ciphers, NULL ciphers, 3DES, anonymous DH.
Best Practices
- Enforce HSTS (HTTP Strict Transport Security) with
max-ageโฅ 1 year andincludeSubDomains - Submit to the HSTS preload list for public-facing services
- Implement certificate pinning for high-value mobile applications
- Use OCSP stapling to validate certificate revocation at scale
- Automate certificate renewal (Let's Encrypt / ACME protocol)
- Monitor TLS configuration regularly using tools like testssl.sh
Encryption at Rest
Protects data stored on disk, databases, backups, and removable media.
Layers of Protection
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Application-level encryption โ โ Highest protection; survives DB breach
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Database TDE (Transparent Data โ โ Protects files on disk
โ Encryption) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ File-system / volume encryption โ โ Protects against physical theft
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Full-disk encryption (FDE) โ โ Baseline; protects powered-off devices
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Apply defense-in-depth. FDE is the minimum for all workstations and servers. Sensitive fields (PII, secrets, payment data) should also have application-level encryption.
Key Technologies
| Layer | Technology |
|---|---|
| Full-disk (Windows) | BitLocker (AES-256 + TPM 2.0) |
| Full-disk (Linux) | LUKS2 with AES-256-XTS |
| Full-disk (macOS) | FileVault 2 |
| Database (SQL Server) | Transparent Data Encryption (TDE) |
| Database (PostgreSQL) | pgcrypto extension or column-level |
| Cloud storage | AWS S3 SSE-KMS, Azure Storage Service Encryption |
| Secrets | HashiCorp Vault, AWS Secrets Manager, Azure Key Vault |
Key Management
Strong encryption is only as secure as its key management. A poorly managed key negates any algorithmic strength.
Key Hierarchy
Hardware Security Module (HSM) or Cloud KMS
โโโ Key Encryption Key (KEK) โ long-lived, rarely accessed
โโโ Data Encryption Key (DEK) โ rotated regularly
โโโ Encrypted data
Best Practices
- Never hard-code keys in source code, configuration files, or container images
- Store all cryptographic keys in a dedicated key management system (KMS) or HSM
- Enforce separation of duties: key custodians must not also access the protected data
- Log every key access, generation, and revocation event
- Define and test emergency key rotation procedures for suspected compromise
- Establish key expiry โ data encryption keys should expire after a defined period
Rotation Schedule
| Key Type | Rotation Frequency |
|---|---|
| Data encryption keys (DEKs) | Annually or on suspected compromise |
| Key encryption keys (KEKs) | Every 2โ3 years or on personnel change |
| TLS certificates | At expiry (automate; never manual) |
| API keys / secrets | Every 90 days or on personnel change |
| SSH host keys | On infrastructure rebuild |
Common Pitfalls
| Mistake | Risk | Correct Approach |
|---|---|---|
| AES in ECB mode | Pattern leakage; deterministic | Use AES-GCM or CBC+HMAC |
| Nonce/IV reuse | Catastrophic for GCM; breaks security | Generate random IVs; never reuse |
| Rolling your own crypto | Subtle, catastrophic flaws | Use vetted libraries (OpenSSL, libsodium) |
| Keys stored with encrypted data | Defeats the purpose | Physically and logically separate |
| MD5 or SHA-1 for integrity | Collision attacks | Use SHA-256 or SHA-3 |
| Hardcoded secrets in repos | Credential exposure via git history | Use secrets managers; scan repos with tools |
Approved Cryptographic Libraries
| Language | Library |
|---|---|
| Python | cryptography (pyca/cryptography) |
| Java / Kotlin | Bouncy Castle, JCA/JCE |
| .NET / C# | System.Security.Cryptography |
| Go | crypto/aes, golang.org/x/crypto/chacha20poly1305 |
| Node.js | Built-in node:crypto, libsodium-wrappers |
| Rust | ring, RustCrypto crates |
| C / C++ | libsodium, OpenSSL 3.x |
Rule: Never implement cryptographic primitives yourself. Use a well-audited, widely deployed library.
Regulatory Reference
| Regulation / Standard | Encryption Requirements |
|---|---|
| PCI DSS 4.0 | AES-256 for cardholder data; TLS 1.2+ for transmission |
| HIPAA | Encryption "addressable" but effectively required |
| GDPR Article 32 | Encryption as an appropriate technical measure |
| FIPS 140-2 / 140-3 | Government systems must use validated cryptographic modules |
| NIST SP 800-57 | Comprehensive key management recommendations |
| ISO 27001 A.10 | Cryptographic controls policy required |