Encryption & Data Protection
Key Takeaways
- Symmetric encryption uses the same key for both encryption and decryption (AES, DES, 3DES) and is fast — used for encrypting data at rest and bulk data transfer.
- Asymmetric encryption uses a key pair (public key to encrypt, private key to decrypt) and is slower — used for key exchange, digital signatures, and secure communication setup (RSA, ECC).
- HTTPS uses TLS (Transport Layer Security) to encrypt web traffic — the padlock icon in the browser indicates the connection is encrypted and the certificate is valid.
- BitLocker encrypts entire Windows drives using AES encryption and requires TPM 2.0 — without TPM, a startup USB key can be used as an alternative.
- Data at rest (stored data) should be encrypted with full-disk encryption (BitLocker, FileVault), data in transit (network traffic) should be encrypted with TLS/VPN, and data in use (processing) is protected by access controls.
Last updated: March 2026
Encryption & Data Protection
Encryption Types
Symmetric Encryption (Single Key)
- Same key encrypts and decrypts
- Fast — suitable for large amounts of data
- Challenge: Both parties need the same key (key distribution problem)
| Algorithm | Key Length | Status |
|---|---|---|
| AES | 128, 192, or 256 bits | Current standard — used by BitLocker, HTTPS, WPA2/3 |
| 3DES | 168 bits (effective 112) | Legacy — being phased out |
| DES | 56 bits | Obsolete — too weak, do not use |
Asymmetric Encryption (Key Pair)
- Uses two related keys: public key (encrypt) and private key (decrypt)
- Slower than symmetric — used for key exchange and digital signatures
- Solves the key distribution problem
| Algorithm | Use Case |
|---|---|
| RSA | Key exchange, digital signatures, certificate authentication |
| ECC (Elliptic Curve) | Smaller keys with equivalent security, mobile/IoT |
| Diffie-Hellman | Secure key exchange (establishes shared secret) |
How HTTPS Works (Simplified)
- Client connects to server on port 443
- Server sends its digital certificate (containing its public key)
- Client verifies the certificate with a trusted Certificate Authority (CA)
- Client and server use asymmetric encryption to agree on a symmetric session key
- All subsequent data is encrypted with the fast symmetric key (AES)
Data Protection States
| State | Description | Protection Method |
|---|---|---|
| Data at Rest | Stored on drives, databases, backups | Full-disk encryption (BitLocker, FileVault), EFS, database encryption |
| Data in Transit | Moving across a network | TLS/SSL (HTTPS), VPN, SSH, encrypted email |
| Data in Use | Being processed in memory | Access controls, process isolation, secure enclaves |
Windows Encryption Tools
BitLocker (Full-Disk Encryption)
- Encrypts entire volumes using AES-128 or AES-256
- Requires TPM 2.0 (or startup USB key without TPM)
- Available only in Pro and Enterprise editions
- BitLocker To Go encrypts removable USB drives
- Recovery key options: Microsoft account, USB drive, print, Active Directory
EFS (Encrypting File System)
- Encrypts individual files and folders (not entire drives)
- Uses the user's certificate and encryption key
- Transparent to the user — files appear normal when logged in
- Available in Pro and Enterprise editions
- If the user profile or certificate is lost, encrypted files become unrecoverable (unless backed up)
BitLocker vs. EFS: BitLocker encrypts entire drives and protects against physical theft. EFS encrypts individual files and protects against other users on the same computer accessing your files.
Digital Certificates
| Component | Purpose |
|---|---|
| Certificate Authority (CA) | Trusted organization that issues certificates (DigiCert, Let's Encrypt, Comodo) |
| Digital Certificate | Electronic document that binds a public key to an identity |
| Certificate Chain | Hierarchy from root CA → intermediate CA → server certificate |
| Certificate Revocation | Invalidating a compromised certificate before its expiration |
Certificate Warnings in Browsers
- Expired certificate — Certificate is past its validity date
- Self-signed certificate — Not issued by a trusted CA (common in internal testing)
- Domain mismatch — Certificate name does not match the website's domain
- Revoked certificate — Certificate has been invalidated due to compromise
Security Rule: Do NOT proceed past certificate warnings unless you understand and trust the reason (e.g., known self-signed cert on an internal server). Certificate warnings on public websites indicate potential security risk.
Test Your Knowledge
What type of encryption uses the same key for both encryption and decryption?
A
B
C
D
Test Your Knowledge
What encryption algorithm is the current industry standard used by BitLocker, HTTPS, and WPA3?
A
B
C
D
Test Your Knowledge
What should you do if your browser displays a certificate warning when visiting a public website?
A
B
C
D