cybersecurity cryptography

Encryption

encryption cryptography security data-protection
Plain English

Encryption scrambles your data so that only someone with the right key can unscramble it. Think of it as writing a letter in a secret code that only you and the recipient know. Even if someone intercepts the letter, they see gibberish. Every time you visit a website with the padlock icon, send a WhatsApp message, or unlock your phone, encryption is protecting your data.

Technical Definition

Encryption is the process of transforming plaintext into ciphertext using a cryptographic algorithm and a key. Only parties possessing the correct decryption key can reverse the process.

Encryption types:

Symmetric encryption (same key for encrypt and decrypt):

  • AES-256-GCM: the gold standard for bulk data encryption. 256-bit key, authenticated encryption (integrity + confidentiality). Used by TLS, disk encryption, VPNs.
  • ChaCha20-Poly1305: alternative to AES, designed by Daniel Bernstein. Faster in software without AES hardware acceleration. Used by WireGuard, TLS 1.3.
  • Challenge: key distribution (how do both parties get the same secret key securely?)

Asymmetric encryption (public key encrypts, private key decrypts):

  • RSA: widely used for key exchange and digital signatures. Key sizes: 2048-bit minimum, 4096-bit recommended.
  • Elliptic Curve (ECDH, ECDSA): equivalent security with much smaller keys (256-bit EC is as strong as 3072-bit RSA). Curve25519 is the modern default.
  • Slower than symmetric; used to establish shared secrets, not for bulk data.

Hybrid approach (used by TLS, PGP, SSH):

  1. Asymmetric encryption exchanges a symmetric session key
  2. Symmetric encryption handles the bulk data using that session key
  3. Combines the key distribution advantage of asymmetric with the speed of symmetric

Encryption at rest vs. in transit:

TypeProtects againstExamples
At restPhysical theft, unauthorized disk accessLUKS, BitLocker, FileVault, AWS KMS
In transitNetwork eavesdropping, MITM attacksTLS, WireGuard, SSH
End-to-endServer operator, warrant requestsSignal, iMessage, PGP

Hashing (one-way, not encryption): SHA-256, bcrypt, Argon2. Used for password storage and integrity verification. Cannot be reversed.

Encryption operations with OpenSSL 

# Encrypt a file with AES-256-GCM
$ openssl enc -aes-256-gcm -salt -pbkdf2 \
  -in secrets.txt -out secrets.enc
enter AES-256-GCM encryption password:

# Decrypt
$ openssl enc -aes-256-gcm -d -pbkdf2 \
  -in secrets.enc -out secrets-decrypted.txt

# Generate an RSA key pair
$ openssl genrsa -out private.pem 4096
$ openssl rsa -in private.pem -pubout -out public.pem

# Encrypt with public key, decrypt with private key
$ openssl pkeyutl -encrypt -pubin -inkey public.pem \
  -in message.txt -out message.enc
$ openssl pkeyutl -decrypt -inkey private.pem \
  -in message.enc -out message-decrypted.txt

# Verify file integrity with SHA-256
$ sha256sum firmware.bin
a1b2c3d4...  firmware.bin
In the Wild

Encryption is non-negotiable for modern systems. HTTPS (TLS) encrypts all web traffic. Full-disk encryption (LUKS on Linux, BitLocker on Windows, FileVault on macOS) protects data if a laptop is stolen. Cloud providers offer server-side encryption at rest (AWS S3 default encryption, Azure Storage encryption) and customer-managed keys via KMS for compliance requirements. Database encryption (Transparent Data Encryption in PostgreSQL, MySQL) protects against unauthorized disk access. End-to-end encryption in messaging apps (Signal protocol) means even the service provider cannot read your messages. The most common encryption mistake in production is not encrypting at all: storing passwords in plaintext, transmitting API keys over HTTP, or leaving database backups on unencrypted volumes.

← Back to Dictionary