Chapter 12 Β· Concepts

Encrypting Data: Visual Maps

The three states of data, encryption methods for each, and the algorithm/key relationship.

Three States of Data β€” Encryption Matrix

StateWhere It IsThreatSolutions
At RestHard drives, SSDs, USB, backups, laptopsPhysical theft of storage mediumBitLocker (Windows), FileVault (Mac), EFS (file-level), third-party tools
In DatabaseDatabase tables and columnsDatabase dump, SQL injection, insider accessTransparent encryption (whole DB), Column-level encryption (selective)
In TransitNetwork connections, web traffic, VPN tunnelsEavesdropping, man-in-the-middleHTTPS/TLS (browser), Client VPN (SSL/TLS), Site-to-site VPN (IPsec)

Full-Disk vs. File-Level Encryption

PropertyFull Disk (BitLocker/FileVault)File-Level (EFS)
ScopeEntire volumeSpecific files or folders
OverheadHigher β€” all I/O encryptedLower β€” only encrypted files pay overhead
Protects againstPhysical drive theftUnauthorized access by other users on same machine
Best forLaptops, mobile devices, serversShared servers with mixed sensitivity data
Key storageTPM chip (BitLocker)User's certificate/key store

Database: Transparent vs. Column-Level

πŸ”’

Transparent Encryption

Entire database encrypted with a symmetric key. Every column, every row. Maximum protection. All queries decrypt on read β€” higher performance overhead. Best for highly regulated environments.

πŸ”‘

Column-Level Encryption

Only sensitive columns (SSN, credit card, diagnosis) encrypted. Other columns (name, date, ID) remain plaintext. Faster queries on unencrypted columns. Targeted protection where it matters most.

VPN Types Comparison

TypeUse CaseProtocolWho Uses It
Client VPNRemote employee β†’ Corporate networkSSL/TLSWork-from-home, travel
Site-to-Site VPNOffice A ↔ Office B (always-on)IPsecOrganizations with multiple locations

The Algorithm Is Public β€” The Key Is Secret

Door Lock Analogy (Prof. Messer)
Everyone knows how door locks work. You can read the patent. You can take one apart. But knowing how a lock works doesn't let you through a locked door. You need the key.

Same with encryption: AES is published β€” anyone can read the math. But without the key, you cannot decrypt the data. The algorithm is the mechanism. The key is the secret.

Implication: Never share your private key. If an attacker gets the key, they can use the published algorithm to decrypt everything.
AlgorithmKey LengthStatusNote
DES56-bitDeprecatedToo short β€” vulnerable to brute force
AES-128128-bitAcceptableCurrent minimum for symmetric
AES-256256-bitRecommendedStandard for high-security applications
RSA (asymmetric)3072-bit+Current standardKey lengths continue growing as processors improve