During an HTTPS session, why does the browser switch from asymmetric encryption to a symmetric session key after the handshake?

Symmetric encryption is much faster, so it handles the bulk data after asymmetric crypto safely exchanges the key. Asymmetric crypto solves the key-distribution problem at the start of the connection, but it is slow. Once both sides share a symmetric session key, AES encrypts the actual page data efficiently. This hybrid approach is exactly why TLS uses both algorithm types.

A technician must encrypt an entire laptop drive so a stolen laptop's data cannot be read. The laptop runs Windows 11 Pro with a TPM. Which tool fits best?

BitLocker full-disk encryption sealed to the TPM. BitLocker performs full-volume encryption and uses the TPM to bind the key to the hardware, protecting all data if the laptop is stolen. EFS only protects selected files, a format is reversible, and degaussing does nothing to an SSD.

A user visits their public banking site and the browser shows a certificate name-mismatch warning. What is the correct action?

Do not proceed, because the warning may indicate an impostor site or on-path attack. On a public website, a certificate mismatch can mean you have reached a fraudulent or intercepted site, so you should stop rather than continue. Bypassing the warning is only reasonable on an internal host with a known, trusted self-signed certificate.

Encryption & Data Protection — Free CompTIA A+ Guide 2026

Symmetric vs Asymmetric Encryption

Encryption questions on 220-1202 hinge on one idea: symmetric is fast but has a key-distribution problem; asymmetric solves distribution but is slow. Real systems combine both.

Symmetric (one shared key)

The same key encrypts and decrypts.
Fast enough for bulk data (full-disk, Wi-Fi, VPN payloads).
Weakness: both sides must already share the key secretly.

Algorithm	Key length	Status
AES	128 / 192 / 256-bit	Current standard — BitLocker, TLS, WPA2/3
3DES	168-bit (effective 112)	Legacy, being retired
DES	56-bit	Obsolete — broken

Asymmetric (key pair)

A public key and a mathematically linked private key.
Anyone encrypts with your public key; only your private key decrypts.
Slow, so it is used for key exchange and digital signatures, not bulk data.

Algorithm	Typical use
RSA	Certificates, signatures, key exchange
ECC	Same security with smaller keys — mobile/IoT
Diffie-Hellman	Negotiates a shared secret over an open channel

How HTTPS Actually Works (Hybrid)

Client connects to the server on port 443.
Server presents its digital certificate containing its public key.
Client validates the cert against a trusted Certificate Authority (CA) chain.
Both sides use asymmetric crypto to agree on a one-time symmetric session key.
All page data flows under fast symmetric AES.

Why hybrid: asymmetric solves the secret-sharing problem at the start, then symmetric handles the heavy lifting because asymmetric encryption of every packet would be far too slow. Hashing (SHA-256) is separate again — it verifies integrity and stores passwords, and is one-way (no decryption).

Data Protection States

State	Where it lives	Protection
Data at rest	Drives, databases, backups	Full-disk encryption (BitLocker, FileVault), EFS
Data in transit	Crossing a network	TLS/HTTPS, VPN, SSH, encrypted email
Data in use	Loaded in RAM/CPU	Access controls, process isolation, secure enclaves

A laptop stolen from a car illustrates all three: full-disk encryption protects the drive at rest, a VPN would have protected anything it sent in transit, and screen-lock plus least privilege guard data in use.

Windows Encryption Tools

BitLocker — Full-Disk Encryption

Encrypts entire volumes with AES-128 or AES-256.
Prefers a TPM chip to seal the key to the hardware; without TPM it requires a startup USB key or boot PIN.
Available only in Windows Pro and Enterprise, not Home.
BitLocker To Go encrypts removable USB drives.
Save the recovery key to a Microsoft account, AD/Entra, USB, or print — losing it locks you out permanently.

EFS — Encrypting File System

Encrypts individual files/folders, not whole drives.
Tied to the user's certificate; transparent while that user is logged in.
Also Pro/Enterprise only; if the user profile/certificate is lost without backup, files are unrecoverable.

BitLocker vs EFS: BitLocker defends against physical theft of the whole drive; EFS defends against another user on the same machine opening your files. macOS uses FileVault for full-disk encryption.

Certificates and PKI

Component	Purpose
Certificate Authority (CA)	Trusted issuer (DigiCert, Let's Encrypt)
Digital certificate	Binds a public key to an identity
Certificate chain	Root CA → intermediate → server cert
Revocation (CRL/OCSP)	Invalidates a compromised cert early

Browser Certificate Warnings

Expired — past its validity date.
Self-signed — not from a trusted CA (common internally).
Name/domain mismatch — cert name differs from the URL.
Revoked — invalidated for compromise.

Rule: never click through a certificate warning on a public website. It can mean an impostor site or an on-path attacker. Proceed only on an internal host where you trust a known self-signed certificate.

Hashing vs Encryption, and Mobile Encryption

The exam routinely contrasts hashing with encryption, and confusing the two costs points. Encryption is reversible with a key; hashing is a one-way fingerprint with no key and no way back. Hashes (MD5 is broken; SHA-256 is current) verify that a downloaded file was not altered and store passwords so the plaintext is never kept. A salt adds random data to each password before hashing so identical passwords produce different hashes, defeating precomputed rainbow tables.

A quick decision guide:

Need to read the data back later? Use encryption (AES for bulk, RSA/ECC for key exchange).
Need only to verify integrity or store a password? Use a salted hash.
Need to prove who sent something? Use a digital signature — the sender hashes the message and encrypts the hash with their private key; anyone verifies it with the public key. This provides integrity and non-repudiation at once.

Mobile and Removable Media

Modern phones encrypt storage by default once a screen lock is set, and full-device encryption is mandatory on managed devices through Mobile Device Management (MDM). For removable drives, BitLocker To Go on Windows and hardware-encrypted USB keys protect data if the stick is lost. A remote wipe through MDM destroys data on a stolen device.

Exam scenario: an executive's encrypted laptop is stolen but powered off. Because the volume was encrypted at rest with BitLocker and the recovery key was escrowed in Active Directory, the data is unreadable to the thief and recoverable by IT — the textbook payoff of encrypting data at rest. The lesson the exam reinforces is that encryption only helps if it is enabled BEFORE the loss and the recovery key is safely backed up.

CompTIA A+

1Introduction & Exam Overview

2Core 1 Domain 1: Mobile Devices (13%)

3Core 1 Domain 2: Networking (23%)

4Core 1 Domain 3: Hardware (25%)

5Core 1 Domain 4: Virtualization & Cloud Computing (11%)

6Core 1 Domain 5: Hardware & Network Troubleshooting (28%)

7Core 2 Domain 1: Operating Systems (28%)

8Core 2 Domain 2: Security (28%)

9Core 2 Domain 3: Software Troubleshooting (23%)

10Core 2 Domain 4: Operational Procedures (21%)