What is Encryption?
What is Encryption?
Encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and a key. Only authorized parties with the correct decryption key can convert the ciphertext back to plaintext. Encryption is one of the most important technical controls for protecting the confidentiality of sensitive data and is required by virtually every compliance framework.
Types of encryption
Symmetric encryption — uses the same key for both encryption and decryption. It is fast and efficient for large volumes of data. Common algorithms include AES-256 (the current standard) and AES-128.
Asymmetric encryption — uses a pair of keys: a public key for encryption and a private key for decryption. It is used for key exchange, digital signatures, and scenarios where parties cannot share a secret key in advance. Common algorithms include RSA and elliptic curve cryptography (ECC).
Hashing — technically not encryption (it is one-way and cannot be reversed), but often discussed alongside encryption. Hashing produces a fixed-length output from any input, used for password storage and data integrity verification. Common algorithms include SHA-256 and bcrypt.
Encryption at rest
Encryption at rest protects data stored in databases, file systems, backups, and storage media. If a storage device is stolen or improperly decommissioned, encryption prevents unauthorized access to the data.
Common implementations include:
- Full disk encryption (BitLocker, FileVault, LUKS)
- Database encryption (Transparent Data Encryption)
- File-level encryption
- Cloud storage encryption (most cloud providers offer encryption at rest by default)
Encryption in transit
Encryption in transit protects data as it moves between systems over networks. It prevents eavesdropping, man-in-the-middle attacks, and data interception.
Common implementations include:
- TLS 1.2 or 1.3 for web traffic (HTTPS)
- TLS for email (SMTP with STARTTLS)
- VPN tunnels for site-to-site or remote access connections
- SSH for administrative access
- IPsec for network-level encryption
Key management
Encryption is only as strong as its key management. Poor key management undermines the protection encryption provides. Key management best practices include:
- Key generation — use cryptographically secure random number generators
- Key storage — store keys separately from the data they protect, using hardware security modules (HSMs) or key management services
- Key rotation — rotate keys periodically to limit exposure if a key is compromised
- Key access control — restrict key access to authorized personnel and systems
- Key destruction — securely destroy keys when no longer needed
Encryption requirements across frameworks
- SOC 2 — CC6.1 and CC6.7 address protection of data through encryption and other mechanisms
- ISO 27001 — control A.8.24 addresses use of cryptography
- HIPAA — encryption is an addressable implementation specification for ePHI at rest (45 CFR 164.312(a)(2)(iv)) and a requirement for ePHI in transit (45 CFR 164.312(e)(1))
- PCI DSS — Requirement 3 requires encryption of stored PAN, and Requirement 4 requires encryption of PAN in transit over open networks
Common mistakes
- Using outdated algorithms (DES, 3DES, RC4, SSL, TLS 1.0/1.1)
- Storing encryption keys alongside encrypted data
- Failing to encrypt backups
- Not encrypting data in transit within internal networks
- Hardcoding keys in application source code
How episki helps
episki tracks your encryption implementations across systems, monitors certificate expirations, and documents encryption policies and key management practices for audit evidence. Learn more on our compliance platform.
