Encryption Architecture

Module 02 · Lesson 06

Encryption is the last line of defense

If every other control fails — firewall bypassed, credentials compromised, data reached — encryption ensures the attacker gets ciphertext, not customer records.

Three Types

Symmetric · Asymmetric · Hashing

Symmetric

AES-256

Same key encrypts and decrypts. Fast. Bulk data. Data at rest. The workhorse of encryption.

Asymmetric

RSA / ECDSA

Public key encrypts, private decrypts. Slower. Key exchange, signatures. Foundation of TLS.

Hashing

SHA-256

One-way transformation. Can't reverse. Passwords, integrity, signatures. Not encryption — verification.

Where to Encrypt

Three states of data

State	Standard	Implementation
In transit	TLS 1.3	All external connections. Internal: mTLS between services in zero trust.
At rest	AES-256	Full-disk on all devices. Database-level for sensitive fields. Cloud storage default-on.
In processing	Emerging	Confidential computing: hardware enclaves. AWS Nitro, Azure Confidential, GCP Confidential VMs.

Most organizations have in-transit covered. At-rest is inconsistent. In-processing is nascent.

Key Management

The key is more important than the algorithm

Principle 1

Separate keys from data. Use a KMS (AWS KMS, Azure Key Vault, HashiCorp Vault). Never in config files or source code.

Principle 2

Rotate on schedule. Annually for data keys. More frequently for session keys. Automated rotation.

Principle 3

Audit every use. Every key access logged. Who decrypted what, when.

Principle 4

Key hierarchy. Master key encrypts data keys. Master key never leaves the HSM/KMS.

Principle 5

Incident plan. Documented procedure for emergency key rotation and re-encryption.

Common Failures

How encryption goes wrong

Key next to data: Encryption key in the same S3 bucket as the encrypted files. Attacker gets both.

Hardcoded in code: AES key as a string constant in the application. Visible in Git history forever.

No rotation: Same key used for 5 years. If it was ever exposed, all historical data is compromised.

Wrong algorithm: Using MD5 or DES. Broken algorithms provide false sense of security.

Encryption theater: "We encrypt everything" but the app server has the decryption key in memory with no access control.

Key Takeaway

Encryption without key management is theater

Remember this

AES-256 is unbreakable with current technology. But if the key is in a config file next to the data, the encryption is meaningless.

Five principles: separate, rotate, audit, hierarchy, incident plan.

Encrypt in transit (TLS 1.3), at rest (AES-256), and start planning for in-processing (confidential computing).

1 / 6