2.4 Encryption, Hashing, and Data States
Key Takeaways
- Encryption makes data unreadable to unauthorized viewers and requires a key to decrypt it.
- Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses a public and private key pair.
- Data can be protected at rest, in transit, and in use.
- Hashing is one-way and helps verify data integrity or protect stored password values.
Encryption protects readability; hashing verifies fingerprints
Encryption is the process of making data unreadable and unusable to unauthorized viewers. To read encrypted data, it must be decrypted with the required key. If an attacker obtains encrypted data without the key, the data should remain unreadable. SC-900 tests this as a foundational data-protection concept, not as a deep cryptography exam.
Microsoft Learn describes two primary encryption types. Symmetric encryption uses the same key to encrypt and decrypt data, which can be fast and useful for large amounts of data, but key sharing must be protected. Asymmetric encryption uses a related public and private key pair. Data encrypted with the public key can be decrypted with the private key, and data signed with the private key can be verified with the public key.
| Concept | Exam-safe description |
|---|---|
| Symmetric encryption | Same key encrypts and decrypts data. |
| Asymmetric encryption | Public and private key pair supports encryption and signatures. |
| Data at rest | Data stored on a device, database, or storage account. |
| Data in transit | Data moving across a network or between services. |
| Data in use | Data actively being processed in memory or by compute. |
| Hashing | One-way digest used as a fingerprint of input data. |
Data state matters because protection goals differ. Data at rest is stored data, such as files or database records. Data in transit is moving between locations, such as across the internet or between services. Data in use is actively being processed. SC-900 candidates should recognize that encryption can protect data in each state, even though the implementation differs.
Hashing is different from encryption. A hash function converts input into a fixed-length value, often called a digest. The process is one-way, so the original input is not recovered by decrypting the hash. The same input with the same algorithm produces the same hash, which makes hashing useful for integrity checks. If a downloaded file has a different hash than expected, the file may have changed.
Hashing is also used in password storage workflows. Instead of storing a plain password, a system can store a hash. During sign-in, the entered password is hashed and compared with the stored value. Salting adds a unique random value before hashing so that identical passwords do not produce identical stored hashes.
Choosing between encryption and hashing
-
Use encryption when protected data must be read later by authorized parties.
-
Use hashing when you need a one-way fingerprint or comparison value.
-
Use key management thinking whenever encryption keys must be stored, rotated, or protected.
The exam often gives the clue in the verb. If the scenario says data must be made unreadable but later recovered by authorized users, encryption is the better answer. If the scenario says verify whether data changed or avoid storing plain passwords, hashing is the better answer. If it asks how encrypted data remains secure, look for key protection and access control.
Which statement correctly distinguishes encryption from hashing?
Which data state describes data moving between services or across a network?
A system needs to verify that a file was not modified after download. Which concept is the best fit?