2.4 Encryption, Hashing, and Data States
Key Takeaways
- Encryption makes data unreadable to unauthorized viewers and is reversible with the correct key; SC-900 tests it as a data-protection concept, not deep cryptography.
- Symmetric encryption uses one shared key for both encrypt and decrypt (fast, good for bulk data, e.g. AES); asymmetric encryption uses a public/private key pair (e.g. RSA) and underpins key exchange and digital signatures.
- Data exists in three states — at rest (stored), in transit (moving across a network), and in use (being processed in memory) — and each can be protected with encryption.
- Hashing is one-way: it produces a fixed-length digest that cannot be reversed, so it is used for integrity checks and password storage (with salting), not for confidentiality.
- Exam clue is in the verb: 'make unreadable but recoverable by authorized users' -> encryption; 'detect change or avoid storing plain passwords' -> hashing.
Encryption: reversible protection with a key
Encryption is the process of making data unreadable and unusable to unauthorized viewers. To read encrypted data, it must be decrypted using the required key. If an attacker steals encrypted data but not the key, the data should stay unreadable — which is why encryption protects the confidentiality goal of the CIA triad. SC-900 tests encryption as a foundational concept, not as a mathematics exam, so focus on what each type is for and when to choose it.
Microsoft Learn describes two primary types:
| Type | Keys used | Strengths | Typical use | Example algorithms |
|---|---|---|---|---|
| Symmetric | One shared secret key for both encrypt and decrypt | Fast; efficient for large volumes of data | Bulk data encryption, storage and disk encryption | AES, 3DES |
| Asymmetric | A related public/private key pair | Solves key distribution; enables digital signatures | Key exchange, TLS handshakes, signing, certificates | RSA, ECC |
Symmetric encryption uses the same key to encrypt and decrypt. It is fast, but the challenge is securely sharing that single key between parties. Asymmetric encryption uses a mathematically related public key and private key. Data encrypted with the public key can be decrypted only with the matching private key (confidentiality), and data signed with the private key can be verified with the public key (authenticity and integrity via digital signatures). In practice, systems often combine both — asymmetric encryption to exchange a symmetric session key, then fast symmetric encryption for the bulk data.
The three data states
Protection goals differ depending on where data is, so SC-900 expects you to know the three states and that encryption can protect each:
- Data at rest — data stored on a device, disk, database, or storage account. Protected by storage/disk encryption (for example, encrypting an Azure Storage account or a database).
- Data in transit — data moving across a network, between services, or over the internet. Protected by transport encryption such as TLS/HTTPS.
- Data in use — data actively being processed in memory or by compute. This is the hardest to protect; technologies like confidential computing aim to protect it while in use.
A common distractor invents a fourth state such as 'data in retirement' — there are only three. Expect a scenario like 'data is moving between two microservices' (in transit) or 'records are saved in a database' (at rest), and match the state to the right encryption point.
Key management matters
Encryption is only as strong as the protection of its keys. If keys are exposed, the encryption is defeated. Whenever a scenario asks 'how does encrypted data stay secure,' the answer involves protecting, storing, and rotating keys (in Azure, services like Azure Key Vault manage keys and secrets) and controlling who can access them. 'Bring your own key' and 'customer-managed keys' are options where the customer controls the key material.
Hashing: one-way fingerprints
Hashing is fundamentally different from encryption. A hash function converts any input into a fixed-length value called a digest (or hash). Three properties define it:
- One-way — you cannot reverse a hash to recover the original input. There is no 'decryption key' for a hash.
- Deterministic — the same input with the same algorithm always produces the same digest.
- Avalanche effect — changing even one character of the input produces a completely different digest.
These properties make hashing ideal for integrity verification: if a downloaded file's computed hash differs from the published hash, the file changed in transit. Hashing is also used in password storage. Rather than storing a plaintext password, a system stores its hash; at sign-in, the entered password is hashed and compared to the stored value. Salting adds a unique random value before hashing so that two users with the same password get different stored hashes, defeating precomputed (rainbow-table) attacks.
Encryption vs. hashing — choosing correctly
| If the scenario says... | Choose | Because |
|---|---|---|
| Data must be unreadable now but recoverable later by authorized users | Encryption | Encryption is reversible with the correct key |
| Verify whether a file or message was altered | Hashing | A changed input yields a different digest |
| Avoid storing plaintext passwords | Hashing (with salt) | Hashes are not reversible to the original password |
| Two parties must exchange a secret over an open network | Asymmetric encryption | A public/private key pair solves key distribution |
The exam often hides the answer in the verb. 'Make unreadable but later recover' signals reversible encryption. 'Detect change' or 'don't store the plain password' signals one-way hashing. A frequent trap is claiming hashing keeps data secret — it does not provide confidentiality; it provides a tamper-evident fingerprint.
Digital signatures tie it together
A digital signature combines hashing and asymmetric encryption, and it is a favorite exam connection point. The sender hashes the message to create a digest, then encrypts that digest with their private key to form the signature. The recipient decrypts it with the sender's public key, re-hashes the received message, and compares the digests. A match gives two assurances: integrity (the message was not altered) and authenticity/non-repudiation (only the private-key holder could have signed it). A digital signature does not hide the message — it proves who sent it and that it was unchanged, not that it is secret.
One-paragraph cheat sheet
Encryption protects confidentiality and is reversible with a key (symmetric = one shared key, fast, bulk data; asymmetric = public/private pair, key exchange and signatures). Hashing protects integrity, is one-way, and is used for tamper detection and salted password storage. Data lives in three states — at rest, in transit, in use — and encryption can protect each.
Which statement correctly distinguishes symmetric from asymmetric encryption?
A company wants to ensure that a password file cannot be reversed to reveal plaintext passwords even if the file is stolen. Which technique fits best?
Data that is moving between two services across the network is in which data state?
Which goal does encryption primarily support, and what makes it different from hashing?