Back to blog
3 min read

Encryption: What You Actually Need to Know

Practical encryption knowledge - symmetric vs asymmetric, when to use each, and why key management is harder than the encryption itself.

SecurityEncryption

Encryption isn't optional anymore. Data breaches happen constantly, and unencrypted data is the easiest target. If you're responsible for any infrastructure, you need to understand how encryption works.

Two Types of Encryption

Symmetric encryption uses the same key to encrypt and decrypt. Fast and efficient for large amounts of data. The problem: how do you securely share the key with the other party?

Common algorithm: AES-256 - the industry standard. If you're encrypting data at rest, you're probably using this.

Asymmetric encryption uses a key pair - public key encrypts, private key decrypts. Solves the key distribution problem because you can share your public key freely. Slower than symmetric, so it's typically used for small data or to exchange symmetric keys.

Common algorithms: RSA (older, widely deployed), ECC (newer, smaller keys, same security).

How They Work Together

In practice, you use both. HTTPS does this:

  1. Browser gets server's public key (via certificate)
  2. Browser generates a random symmetric key
  3. Browser encrypts the symmetric key with server's public key
  4. Server decrypts using its private key
  5. Both sides now have the symmetric key for fast encryption

This gives you the best of both worlds: secure key exchange and fast bulk encryption.

Where I Use Encryption

Data at rest: Databases, backups, file storage. AWS S3 server-side encryption, EBS volume encryption, RDS encryption. Enable it by default.

Data in transit: TLS everywhere. HTTPS for web traffic, TLS for database connections, encrypted VPN tunnels.

Secrets: Passwords, API keys, certificates. Never store these in plaintext. Use a secrets manager (AWS Secrets Manager, HashiCorp Vault) or at minimum encrypted environment variables.

Key Management Is the Hard Part

The encryption algorithms are solid. What fails is how we handle keys.

Problems I've seen:

  • Keys stored in the same database as the encrypted data
  • Keys committed to git repositories
  • Keys shared over Slack or email
  • No key rotation for years
  • Losing the only copy of a key (data gone forever)

What works:

  • Managed key services (AWS KMS, GCP Cloud KMS)
  • Hardware security modules for high-security requirements
  • Automated key rotation
  • Key access logging and monitoring

What You Need to Remember

  • AES-256 for symmetric encryption (data at rest, bulk data)
  • RSA or ECC for asymmetric (key exchange, signatures)
  • Enable encryption by default - it's rarely worth the risk to skip it
  • Key management is where encryption actually fails
  • If you're not using a managed key service, you're probably doing it wrong

Key Takeaways

  • Symmetric encryption is fast and used for bulk data
  • Asymmetric encryption solves key distribution
  • TLS combines both for secure communication
  • Encrypt data at rest and in transit as baseline security
  • Key management causes more problems than encryption algorithms
  • Use managed key services whenever possible
BT

Written by Bar Tsveker

Senior CloudOps Engineer specializing in AWS, Terraform, and infrastructure automation.

About meGet in touch

Thanks for reading! Have questions or feedback?

Get in touchMore posts