Data Encryption: How It Works & Methods Used
By 2025, the amount of data generated in the cloud or connected servers each day will reach around 463 exabytes globally. Businesses must be well-versed in keeping all that data stored in different places safe from breaches and other cyberattacks.
Encryption is a popular and effective method to guard sensitive information and drive security initiatives. Many of your daily online activities, such as online banking, email, online shopping – even the website you’re currently reading this article on – all use encryption.
Let’s understand what data encryption exactly is and the best way to go about it.
What is data encryption?
The Computer Security Resource Center (CSRC) defines encryption as “the cryptographic transformation of data into a form that conceals the data’s original meaning to prevent it from being known or used.”
In simple words, encryption protects sensitive data from prying eyes by scrambling ordinary text (plaintext) into a form (ciphertext) that is impossible to read without the proper decryption key.
An example of basic encryption is swapping each letter with the one that holds its opposite position in the alphabet. That means “a” is replaced with “z,” “b” with “y” and so on.
Here’s a practical application:
“Don’t tell anyone”
changes to
“Wlm’g gvoo zmblmv”
How does encryption work?
Encryption uses complex mathematical algorithms and digital keys to encrypt data. An encryption algorithm (cipher) and an encryption key encode data into ciphertext. Once the ciphertext is transmitted to the recipient, the same or different key (cipher) is used to decode the ciphertext back into the original value.
Encryption keys are the secret sauce to sound data encryption. They are essentially codes and work much like physical keys — only the right key unlocks the encrypted data. Generating encryption keys can be done manually or with software that scrambles data with an algorithm and creates an encryption key.
There are a couple of methods of generating encryption keys:
-
Bit Sequence: It’s also referred to as key space. It specifies the logarithmic units for the number of possible key combinations. The bigger the key space, the more resilient the encryption will be against brute force attacks.
-
Password-Based Key Derivation Function 2 (PBKDF2): Creates keys from passwords. Passwords are supplemented by a pseudo-random string and then mapped to a bit sequence of the desired length using cryptographic hash functions.
What is the purpose of encrypting data?
Modern encryption does more than just protect sensitive data.
- Protects user privacy: Encryption protects user privacy by ensuring no human or computer can read data at rest, except the intended parties. Data, such as tax documents, banking information or an application form, might sit directly on the machine or data, like emails, may be viewed via web browser.
- Prevents identity theft and blackmail: Hackers steal your data and attempt to blackmail you into paying a ransom. If you don’t oblige, attackers threaten you with doxing or leaking your sensitive personal information over the dark web. The leaked data is then used for identity theft. However, if you use encryption to protect personal data, they won’t be able to decrypt it and it has no value to be held for ransom.
- Enables secure file sharing: In 2021, the average cost of a single data breach was around $5 million for organizations with more than four out of five employees working remotely. Remote employees sharing files over unsecured networks makes it easy for cybercriminals to breach data that they intercept during transmission. Encryption ensures no unauthorized personnel or software can access the shared files.
- Protects lost and/or stolen devices: Smartphones, laptops and tablets are relatively easy to misplace or lose. Should an adversary or hacker get their dirty hands on these devices, they can easily steal information that lacks proper protection. Encryption keeps data secured on stolen or lost devices. Hackers cannot gain access to data if they don’t have the password (encryption key).
- Ensures compliance: Encryption helps businesses stay compliant with regulatory requirements and standards. Depending on your industry, encryption might be mandatory to uphold compliance regulations. For instance, the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) require businesses to encrypt customer personal information when it is stored at rest and when transmitted across public networks.
What is the difference between hashing and encryption?
|
Hashing |
Encryption |
|
Hashing is a one-way function to convert information to a shorter fixed value known as the key. |
Encryption is a two-way function that transforms plaintext into ciphertext and then uses a key to decode the ciphertext into plaintext. |
|
The main objective of hashing is to audit data: indexing and retrieving items from the database. |
The main objective of encryption is to transmit data over networks securely. |
|
Hashed data is of fixed length and does not grow parallel to the increase in information length. |
Encrypted data is not of a fixed length. It grows in parallel with increased information length. |
|
Example: MD5, SHA256 |
Example: RSA, AES and DES |
Data encryption: At rest, in transit and in use
There are three stages during which data can be encrypted:
Encryption at rest
Data at rest means files stored on hard drives, cloud storage, USB devices and smartphones. Data at rest is encrypted for protection against physical and virtual theft. A key is used to encrypt and decrypt data, and encryption at rest keeps the key safe. You can use a PIN, password or hardware authentication system to protect the key, making it impossible for hackers to steal data even if they have physical access to the device.
Encryption in transit
Data transmitted from one network and accessed by another has the potential to be intercepted by actors who have access to the same networks. Encryption protects data in transit. Most routers now have WiFi protected access (WPA) encryption enabled, but business networks can add another layer of protection with WPA2 Enterprise. Data in transit over the internet is encrypted using Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure File Transfer Protocol (SFTP).
Encryption in use
Data is neither at rest nor in transit. Instead, data is viewed, edited or deleted – since it is intended to be in “use.” Mobile and cloud apps constantly have data in use. This data is susceptible to threats depending on where the data lives on the system and who can access and/or use it. The best way to protect data in use is to ensure that the application will adopt the most secure encryption within its source code.
Encryption methods
The two most distinct encryption methods are symmetric and asymmetric.
Symmetric encryption
Symmetric Key Encryption, also called private-key cryptography, uses a single key to encrypt and decrypt data. The sender and recipient must have the same key to achieve secure communications. The key provides an unbroken layer of encryption from start to finish by using the same key for encryption and decryption keys. The single key could be in the form of a password, code or string of randomly generated numbers. Popular examples of symmetric encryption are AES, DES and Triple DES.
Asymmetric encryption
Asymmetric key encryption, also known as public-key cryptography, uses two different keys – a public key to encrypt and a private key to decrypt. Asymmetric encryption offers better security by verifying data source and non-repudiation (the author cannot dispute its authorship). However, it slows down the transmission process, network speed and machine performance. A popular example of asymmetric encryption is RSA.
Symmetric encryption vs. asymmetric encryption
|
Symmetric |
Vs. |
Asymmetric |
|
Needs a single key for both encryption and decryption. |
Keys |
Needs two keys – one to encrypt and the other one to decrypt. |
|
Faster encryption process. |
Speed |
Slower encryption process. |
|
The length of the keys used is typically 128 or 256 bits. |
Key Length |
The length of the keys is larger, around 2048 bits or higher. |
|
Transfers large chunks of data. |
Function |
Transfers smaller chunks of data to authenticate and establish a secure communication channel prior to the actual data transfer. |
|
Sharing a single key increases the risk of key compromise. |
Security |
No need to share keys. Two keys are separately made for encryption and decryption, improving overall security. |
Encryption algorithms
An algorithm uses the encryption key to encrypt the data into ciphertext and the ciphertext data back into plaintext using the decryption key. There are many encryption algorithms, but these are the popular ones.
DES encryption
The Data Encryption Standard (DES) is block encryption that works at the bit level. The plaintext is broken down into blocks of 64 bits, which are then individually encrypted with a 64-bit key. In this way, the 64-bit plaintext is translated into 64-bit ciphertext. Since each eighth bit of the key acts as a parity bit (or check bit), only 56 bits are available for encryption. DES is insecure because the 56-bit key is too small and has since been withdrawn as a security standard since it is not secure enough for the modern data security landscape.
Triple DES encryption
Triple Data Encryption Standard is a symmetric key encryption algorithm that replaced the original DES. It uses three individual 56-bit keys and runs DES three times — encrypt, decrypt and re-encrypt before it is sent to the recipient. Triple DES is slowly being phased out in favor of stronger encryption algorithms.
AES encryption
AES Encryption stands for Advanced Encryption Standard (also known as Rijndael) and follows a symmetric encryption algorithm, i.e., the same key is used to encrypt and decrypt the data. AES utilizes a fixed block size of 128 bits and a key size of 128, 192 or 256 bits. Due to speed, compatibility, design simplicity and high immunity to known cyberattacks, AES is commonly used to encrypt data on hardware and software across the world.
RSA encryption
RSA is named after its creators Ron Rivest, Adi Shamir and Len Adelman. It uses mathematical one-way functions, which are easy to implement but can only be reversed with considerable computational effort. RSA encryption strength increases exponentially with the increase in key size to around 1024 or 2048 bits long. The increase in key length is a clear sign of better data security, thereby used as the encryption standard for all internet transactions.
Encryption with Unitrends
Backup sits in a unique location; it touches all aspects of the digital environment, from physical servers, virtual machines, clouds, endpoints and application data. As such, the security and integrity of our customer data is always a top priority at Unitrends.
Unitrends physical appliances and virtual appliances utilize AES-256 bit encryption. All data is encrypted whether it is at rest on the local appliance, in transit to a secondary recovery target or at rest on the target.
Encryption can be the difference between a solid business continuity and disaster recovery (BCDR) strategy and a sloppy one. However, encryption isn’t the only factor. Learn more about what makes a BCDR strategy great with our eBook 5 Steps to Building Your BCDR Solution.
