Chapter 12 Β· Glossary

Key Terms: Encrypting Data

16 essential terms for data-at-rest, database, and data-in-transit encryption.

Data at Rest
Data stored on a physical medium β€” hard drives, SSDs, USB drives, laptops, backup tapes. Vulnerable if the storage medium is physically stolen or removed. Protected by full-disk or file-level encryption.
Data in Transit
Data actively moving across a network β€” between browsers and servers, between office sites, between API endpoints. Vulnerable to interception (eavesdropping, man-in-the-middle). Protected by TLS/HTTPS, VPNs, and IPsec.
BitLocker
Microsoft Windows full-volume encryption feature. Encrypts an entire disk volume so that the data is unreadable without the decryption key. Commonly stores the key in the TPM chip. Protects against physical theft of the drive.
FileVault
Apple macOS full-disk encryption feature. Provides the same protection as BitLocker β€” encrypts the entire volume. Data is unreadable without the user's login credentials or a recovery key.
EFS (Encrypting File System)
Windows file-level encryption built into the NTFS file system. Allows individual files or folders to be encrypted, rather than the entire volume. Enabled through a file's Advanced Attributes. Useful for selective protection on shared servers.
Transparent Database Encryption
Encrypts an entire database using a symmetric key. All data β€” every column, every row β€” is encrypted. Queries automatically decrypt data when accessed. Maximum protection but higher performance overhead than selective encryption.
Column-Level Encryption
Encrypts only specific database columns containing sensitive data (e.g., SSN, credit card numbers) while leaving other columns in plaintext. Reduces performance overhead because non-sensitive columns can be queried without decryption.
HTTPS
HyperText Transfer Protocol Secure β€” HTTP with TLS encryption. Encrypts all communication between a web browser and server. Indicated by the padlock icon and "https://" prefix. Standard for any website handling sensitive information.
VPN (Virtual Private Network)
Creates an encrypted tunnel across a public network. All data sent through the VPN is encrypted. Client VPNs (SSL/TLS) connect remote users to a corporate network. Site-to-site VPNs (IPsec) connect two office networks.
IPsec
Internet Protocol Security β€” a suite of protocols for authenticating and encrypting IP packets. Commonly used for site-to-site VPN connections between office networks. Operates at the network layer, encrypting all IP traffic.
Encryption Algorithm
The mathematical formula used to transform plaintext into ciphertext. Algorithms (AES, DES, RSA) are typically public β€” the math is known. Security comes from the KEY, not the algorithm secrecy. Both parties must use compatible algorithms.
AES (Advanced Encryption Standard)
The current standard symmetric encryption algorithm, replacing DES. Supports key lengths of 128, 192, and 256 bits. Widely used for file encryption, TLS, VPNs, and virtually all modern encryption systems.
DES (Data Encryption Standard)
An older symmetric encryption algorithm now considered too weak for most purposes. 56-bit key length is vulnerable to brute force. Replaced by AES. Still appears on exams as a comparison point for what NOT to use.
Key Length
The size of an encryption key in bits. Longer keys = exponentially more brute-force attempts needed. Symmetric: 128-bit minimum (AES-256 recommended). Asymmetric: 3072-bit or larger (RSA). As processors get faster, minimum key lengths increase over time.
Brute Force Attack
An attack that tries every possible key until the correct one is found. Defeated by using sufficiently long keys. A 128-bit symmetric key has 2^128 possible values β€” infeasible to brute-force with current technology.
Key Stretching / Key Strengthening
Applying a hash function multiple times (hashing the hash of the hash, etc.) to make brute-force attacks more expensive. Each brute-force attempt must also perform the same chain of hashes, multiplying the attacker's computation time. Used for password storage.