Encryption

Encryption schemes fall into two main families, distinguished by how keys are managed. Symmetric encryption uses a single shared secret key for both encrypting and decrypting, making it fast and well suited to bulk data. Asymmetric encryption uses a mathematically linked key pair: a public key to encrypt and a private key to decrypt, solving the problem of exchanging secrets over an untrusted channel.

• Symmetric: one key, high performance, ideal for encrypting large volumes (databases, files, disk). The challenge is securely distributing the shared key.
• Asymmetric: a public/private key pair, slower, used for secure key exchange, digital signatures, and identity verification.

In practice, real systems combine both: asymmetric encryption negotiates a session, then a fast symmetric key protects the actual data. This hybrid model underpins protocols like TLS.

Beyond the algorithm, encryption is applied at two distinct points in a data lifecycle. Protecting both is a baseline expectation for any business application handling sensitive or regulated data.

• Encryption in transit: data is protected while moving across networks, for example between a browser and a server or between microservices. This is typically handled by TLS (the protocol behind HTTPS), preventing interception and tampering.
• Encryption at rest: data is protected while stored, on disks, in databases, in backups, or in object storage. It defends against threats such as stolen drives, leaked backups, or unauthorized access to storage infrastructure.

A common architectural mistake is securing only one layer. Data encrypted in transit but stored as plaintext remains exposed if the storage is breached; data encrypted at rest but transmitted unprotected can be captured on the network. Robust systems enforce both, alongside disciplined key management, ideally backed by a dedicated key management service.