Skip to main content
Security

5 Encryption Techniques Explained Simply

TLS, AES, PKI, key rotation, and HSMs explained in plain language — what each one does, where it fits, and how to use them correctly.

John Lane 2021-10-07 6 min read
5 Encryption Techniques Explained Simply

Encryption is one of those topics that everyone agrees matters and almost nobody explains in a useful way. This is a plain-language tour of the five techniques you need to understand to make good encryption decisions — what each one is, what it protects, and where people get it wrong.

1. Symmetric Encryption (AES)

What it is: One key encrypts and decrypts. The same secret is used on both ends. AES (Advanced Encryption Standard) is the one you'll encounter 99% of the time.

Why it matters: It's fast. Modern CPUs have hardware acceleration for AES (AES-NI) that makes encryption essentially free in performance terms. This is why encryption at rest is default-on in every major cloud — the cost is negligible.

Where you see it:

  • Disk encryption (BitLocker, LUKS, FileVault)
  • Database transparent data encryption
  • Cloud object storage encryption (S3, Blob, GCS)
  • VPN tunnels (the bulk data transfer after key exchange)

What "AES-256" means: The key is 256 bits. AES-128 is also fine for most uses; AES-256 is required for some regulatory regimes and is a reasonable default. The "256 is more secure than 128" debate is mostly theater — both are strong enough that the attack will happen somewhere else.

Where it gets dangerous: When the same key is used for too much data (key reuse weakens security), or when the key is stored next to the encrypted data (encryption without key separation is security theater).

2. Asymmetric Encryption (RSA, ECC)

What it is: Two keys, mathematically related. Anything encrypted with one can only be decrypted with the other. One is public and shared, one is private and kept secret.

Why it matters: Symmetric encryption has a key distribution problem — how do two parties share a secret key over an untrusted network? Asymmetric encryption solves it. Alice encrypts a message with Bob's public key. Only Bob's private key can decrypt it. No pre-shared secret needed.

Where you see it:

  • TLS handshakes (establishing a session key)
  • SSH (host keys and user keys)
  • Code signing
  • Email encryption (S/MIME, PGP)
  • JWT signatures

RSA vs ECC: RSA is older and more widely supported. ECC (Elliptic Curve Cryptography) does the same job with smaller keys and faster operations. An ECC-256 key is roughly equivalent in strength to an RSA-3072 key. New deployments should prefer ECC; legacy interop may require RSA.

Where it gets dangerous: When private keys leak. The entire security model is "nobody else has the private key." If that's wrong, everything derived from it is compromised. This is why private keys should live in hardware (HSM, YubiKey, TPM) whenever possible.

3. TLS (Transport Layer Security)

What it is: The protocol that combines asymmetric encryption (for key exchange and authentication) with symmetric encryption (for bulk data) into the thing that protects HTTPS and almost everything else on the modern internet.

Why it matters: Without TLS, every piece of data you send over a network is readable by anyone in the path. With TLS, the connection is encrypted and (crucially) authenticated — you know you're actually talking to the server you think you're talking to.

TLS versions you need to care about:

  • TLS 1.0 and 1.1: Dead. Disable them. They have known weaknesses and modern compliance frameworks flag them as findings.
  • TLS 1.2: Still acceptable. Widely supported, no known attacks when configured correctly.
  • TLS 1.3: Preferred for new deployments. Faster handshake, cleaner cipher choices, removes several legacy features that were security risks.

What "configured correctly" means: Strong cipher suites only, no export ciphers, no RC4, no 3DES, prefer forward secrecy (ECDHE). Tools like Qualys SSL Labs can score your configuration.

Common mistake: Serving TLS with a mismatched certificate chain. Your certificate is valid but the intermediate is missing, so some browsers trust it and others don't. Check the full chain, not just the leaf.

4. PKI and Certificate Management

What it is: The infrastructure that binds identity ("this is example.com") to a public key. A Certificate Authority (CA) vouches that the key-to-identity mapping is real, and your browser trusts the CA.

Why it matters: Encryption without authentication is useless. If you encrypt your data to the wrong public key because you couldn't verify whose it was, you haven't protected anything. PKI is how the verification happens at scale.

The ecosystem you actually deal with:

  • Public CAs (Let's Encrypt, DigiCert, Sectigo) issue certs for public-facing services. Let's Encrypt is free and automated via ACME. Use it.
  • Private CAs (ADCS, Vault PKI, AWS Private CA) issue certs for internal services. Essential for mTLS inside a network.
  • Certificate lifecycle tools (cert-manager in Kubernetes, ACME clients, HashiCorp Vault) automate renewal. Manual certificate management is how outages happen.

The failure mode to avoid: Expired certificates. Every significant outage postmortem list includes "cert expired, nobody had alerts on it." Automate renewal. Alert at 30 days, 14 days, and 7 days out.

5. Key Management and HSMs

What it is: The systems that store and protect the private keys that everything else depends on. At the top of the stack sits the Hardware Security Module (HSM) — a tamper-resistant physical device that generates and holds keys without ever exposing them.

Why it matters: Every encryption technique above is only as secure as the keys it uses. If your keys live in a config file, your encryption is a speed bump. If your keys live in an HSM, extracting them requires physical possession and specialized attack equipment.

The hierarchy:

  • Worst: Keys in source code, config files, or environment variables with file access for everyone.
  • Better: Keys in a secrets manager (Vault, AWS Secrets Manager, Azure Key Vault) with IAM-based access.
  • Better still: Keys in cloud KMS where the key material never leaves the service.
  • Best: Keys in an HSM (cloud HSM or on-prem Luna / Entrust / Thales) with FIPS 140-2 Level 3 validation.

FIPS 140-2 levels: Level 1 is "it's software." Level 2 adds tamper-evident sealing. Level 3 adds tamper-response (the device erases keys if opened). Level 4 is military-grade and rare. For most regulated workloads, Level 3 is the target.

Envelope encryption: The pattern you should use. A local Data Encryption Key (DEK) encrypts the data. A Key Encryption Key (KEK) in the HSM encrypts the DEK. You rotate the KEK often (cheap, one operation) and the DEK rarely (expensive, requires re-encrypting data). This is how cloud providers do it internally.

What We'd Actually Do

For a customer starting from "we know we should encrypt stuff":

  1. Enable default encryption at rest. Every cloud provider has this as a one-click option.
  2. Enforce TLS 1.2 minimum on every public endpoint. Redirect HTTP to HTTPS.
  3. Use Let's Encrypt with automation. No manual cert renewals.
  4. Move secrets to a secrets manager. Any secrets manager is better than env vars in config files.
  5. For regulated data, adopt customer-managed keys in HSM-backed KMS. Azure Key Vault Premium, AWS CloudHSM, Google Cloud HSM.
  6. Rotate keys on a schedule. Automated. Alerted on failure.

Three Takeaways

  1. Symmetric encryption protects data, asymmetric encryption protects keys. Every real system uses both.
  2. Key management is harder than encryption. The algorithms are solved. The key handling is where everything goes wrong.
  3. Automate certificate lifecycle or plan to cause outages. No exceptions.

Talk with us about your infrastructure

Schedule a consultation with a solutions architect.

Schedule a Consultation
Talk to an expert →