About data encryption

On this page:


Overview

Encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

Data can be encrypted in two ways: at rest and in transit.

Note:
Employing these two types of encryption safeguards must occur in tandem; it's not automatic. Data encrypted at rest is not guaranteed to remain encrypted as it traverses a network. Conversely, the fact that data is encrypted in transit does not offer any guarantee that the data remains encrypted after it has reached its destination.

Encryption at rest

Encryption at rest refers to the encryption of data storage, whether in a database, on a disk, or on some other form of media.

Note:
Indiana law recognizes the value of disk encryption, such that a lost/stolen laptop or storage media is not considered a breach if that media was encrypted (and the encryption key was not available with the device).

Examples of encryption at rest include:

Encryption in transit

Encryption in transit refers to data that is encrypted as it traverses a network, including via web applications, smartphone apps, chats, and so on. Data is in transit from the point at which the data leaves the storage drive or database until it's re-saved or delivered to its destination. Protecting information in transit essentially ensures protection from others attempting to snoop or eavesdrop on information as it traverses the network.

Examples of encryption in transit include:

Symmetric key algorithms

Symmetric key algorithms use related, often identical keys to both encrypt and then decrypt information. In practice, this is known mostly as a shared secret between two or more parties.

Asymmetric key algorithms

Asymmetric key algorithms use different keys to encrypt and decrypt information; one key encrypts (or locks) while the other decrypts (or unlocks). In practice, this is known mostly as a public/private key; the public key can be shared openly, but the private key should not be. In most cryptographic systems, it is extremely difficult to determine the private key values based on the public key.

Using public/private keys, the lock/unlock algorithm can work in two ways. For example, Alice can encrypt a message with Bob's public key, and then send it to Bob. Only the holder of Bob's private key should be able to decrypt and read the message. Conversely, Alice could digitally sign a message with her own private key, and while anyone else in the world could read the message, they could use Alice's public key to verify the message must have come from Alice.

Common technologies that rely on public key cryptography include TLS/SSL and S/MIME.

For more, see Public-key cryptography.

This is document bgpo in the Knowledge Base.
Last modified on 2023-06-12 10:04:41.