Three States of Data β Encryption Matrix
| State | Where It Is | Threat | Solutions |
|---|---|---|---|
| At Rest | Hard drives, SSDs, USB, backups, laptops | Physical theft of storage medium | BitLocker (Windows), FileVault (Mac), EFS (file-level), third-party tools |
| In Database | Database tables and columns | Database dump, SQL injection, insider access | Transparent encryption (whole DB), Column-level encryption (selective) |
| In Transit | Network connections, web traffic, VPN tunnels | Eavesdropping, man-in-the-middle | HTTPS/TLS (browser), Client VPN (SSL/TLS), Site-to-site VPN (IPsec) |
Full-Disk vs. File-Level Encryption
| Property | Full Disk (BitLocker/FileVault) | File-Level (EFS) |
|---|---|---|
| Scope | Entire volume | Specific files or folders |
| Overhead | Higher β all I/O encrypted | Lower β only encrypted files pay overhead |
| Protects against | Physical drive theft | Unauthorized access by other users on same machine |
| Best for | Laptops, mobile devices, servers | Shared servers with mixed sensitivity data |
| Key storage | TPM chip (BitLocker) | User's certificate/key store |
Database: Transparent vs. Column-Level
Transparent Encryption
Entire database encrypted with a symmetric key. Every column, every row. Maximum protection. All queries decrypt on read β higher performance overhead. Best for highly regulated environments.
Column-Level Encryption
Only sensitive columns (SSN, credit card, diagnosis) encrypted. Other columns (name, date, ID) remain plaintext. Faster queries on unencrypted columns. Targeted protection where it matters most.
VPN Types Comparison
| Type | Use Case | Protocol | Who Uses It |
|---|---|---|---|
| Client VPN | Remote employee β Corporate network | SSL/TLS | Work-from-home, travel |
| Site-to-Site VPN | Office A β Office B (always-on) | IPsec | Organizations with multiple locations |
The Algorithm Is Public β The Key Is Secret
Door Lock Analogy (Prof. Messer)
Everyone knows how door locks work. You can read the patent. You can take one apart. But knowing how a lock works doesn't let you through a locked door. You need the key.
Same with encryption: AES is published β anyone can read the math. But without the key, you cannot decrypt the data. The algorithm is the mechanism. The key is the secret.
Implication: Never share your private key. If an attacker gets the key, they can use the published algorithm to decrypt everything.
Everyone knows how door locks work. You can read the patent. You can take one apart. But knowing how a lock works doesn't let you through a locked door. You need the key.
Same with encryption: AES is published β anyone can read the math. But without the key, you cannot decrypt the data. The algorithm is the mechanism. The key is the secret.
Implication: Never share your private key. If an attacker gets the key, they can use the published algorithm to decrypt everything.
| Algorithm | Key Length | Status | Note |
|---|---|---|---|
| DES | 56-bit | Deprecated | Too short β vulnerable to brute force |
| AES-128 | 128-bit | Acceptable | Current minimum for symmetric |
| AES-256 | 256-bit | Recommended | Standard for high-security applications |
| RSA (asymmetric) | 3072-bit+ | Current standard | Key lengths continue growing as processors improve |