What is Encryption?

How Encryption Works: The Technical Foundation

Modern encryption relies on mathematical problems that are computationally easy to perform in one direction and computationally infeasible to reverse without the key. The two fundamental categories are symmetric and asymmetric encryption, each with distinct properties and applications.

Symmetric Encryption

Symmetric encryption uses the same key to both encrypt and decrypt data. The sender and receiver must both possess the same key, which must be shared through a secure channel before encrypted communication can begin. The security of the communication depends entirely on the confidentiality of the shared key. The primary advantage of symmetric encryption is performance — symmetric algorithms are orders of magnitude faster than asymmetric alternatives and are used for bulk data encryption. AES (Advanced Encryption Standard) with 256-bit keys is the current standard for symmetric encryption and is used to protect data at rest in storage systems, databases, and encrypted file systems.

Asymmetric Encryption

Asymmetric encryption uses mathematically linked key pairs: a public key that can be freely shared and a private key that must be kept secret. Data encrypted with a public key can only be decrypted by the corresponding private key. This eliminates the key distribution problem of symmetric encryption — you can share your public key with anyone without compromising security. RSA and elliptic curve cryptography (ECC) are the dominant asymmetric algorithms. Asymmetric encryption is computationally expensive and is rarely used for bulk data encryption; instead, it is used to securely exchange symmetric keys and to create digital signatures.

Where Encryption Is Applied: In Transit, At Rest, and In Use

Encryption In Transit

Data in transit — moving across networks — is protected by TLS (Transport Layer Security), the protocol underlying HTTPS. When you connect to a website over HTTPS, your browser and the web server negotiate a TLS connection that encrypts all data exchanged during the session. TLS uses asymmetric cryptography to authenticate the server's identity and exchange a session key, then uses that symmetric session key for the actual data encryption. Email encryption, VPN tunnels, and API communications use similar hybrid approaches combining asymmetric key exchange with symmetric data encryption.

Encryption At Rest

Data at rest — stored in databases, file systems, object storage, and backup systems — should be encrypted to protect against unauthorized access if storage media is lost, stolen, or improperly decommissioned. Full-disk encryption protects laptop and workstation data if a device is lost — BitLocker on Windows and FileVault on macOS are the standard implementations. Database encryption protects data if database files are accessed directly, bypassing application authentication controls. Cloud storage encryption, provided natively by AWS, Azure, and GCP, encrypts object storage and database data at rest by default, though the specific encryption configuration and key management approach varies significantly.

Encryption In Use

The newest frontier of encryption addresses data while it is being actively processed in memory — historically the most difficult environment to protect because data must be decrypted to be processed. Homomorphic encryption enables computation on encrypted data without decrypting it. Secure enclaves create isolated, attestable execution environments where sensitive computation can occur without exposure to the host operating system. These technologies are emerging capabilities in enterprise environments but are not yet broadly deployed in mid-market organizations.

Encryption in Practice: What It Protects and What It Doesn't

What Encryption Definitively Protects

Encryption protects data confidentiality from parties who do not possess the decryption key. A laptop with full-disk encryption lost at an airport does not expose its contents to whoever finds it. A database containing 10 million customer records that is exfiltrated by an attacker who bypasses application controls but cannot access encryption keys exposes ciphertext rather than readable personal data. An email encrypted end-to-end cannot be read by the email provider, network intermediaries, or attackers who intercept it in transit.

What Encryption Does Not Protect

Encryption does not protect against attackers who compromise the systems that hold the decryption keys. An attacker with domain administrator privileges in a Windows environment can access the BitLocker recovery keys stored in Active Directory and decrypt any laptop in the fleet. An attacker who compromises the application can access data after it has been decrypted for processing — the application sees plaintext because it must to function. Ransomware does not defeat encryption; it adds another layer of encryption on top of existing data, making the attacker the new keyholder.

Key Management: The Critical Weakness

The security of encrypted data depends entirely on the security of the encryption keys. Encrypting data with a key stored in the same location as the data provides minimal protection. Key management systems — hardware security modules (HSMs) for on-premises environments and cloud key management services like AWS KMS and Azure Key Vault for cloud environments — provide the secure key storage, access control, and audit logging that make encryption operationally meaningful rather than theatrical.

Real-World Example: Anthem Health Breach — 78 Million Records, No Encryption

The 2015 Anthem health insurance breach exposed 78.8 million records — names, Social Security numbers, dates of birth, addresses, employment information, and income data. The attacker gained access through compromised credentials and extracted data from Anthem's data warehouse. The data was not encrypted at rest. Anthem's position was that encryption was not required by HIPAA for data warehouse environments — technically accurate. The breach cost Anthem $115 million in settlements and established the precedent that reasonable data security expectations extend beyond minimum compliance requirements. Had the data warehouse been encrypted with properly managed keys, the exfiltrated data would have been unreadable ciphertext rather than 78.8 million usable identity records.