AlignTrust
Data Security

Encryption

The process of encoding data so that only authorised parties with the correct key can read it — protecting information in transit and at rest.

What Is Encryption?

Encryption transforms readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and a key. Only parties with the correct decryption key can reverse the process and read the original data.

Encryption protects data in two states:

  • Encryption in transit: Protects data as it moves between systems — over the internet, between servers, or across a network. HTTPS/TLS is the most common example.
  • Encryption at rest: Protects data stored on disk, in databases, or in cloud storage. Even if an attacker gains physical access to a drive, encrypted data is useless without the key.

Common Encryption Standards

  • AES-256: Advanced Encryption Standard with 256-bit keys. The current gold standard for symmetric encryption. Used for disk encryption, file encryption, and database encryption.
  • TLS 1.3: Transport Layer Security. Secures data in transit. All websites using HTTPS use TLS.
  • RSA / ECC: Asymmetric encryption algorithms used for key exchange and digital signatures.

Encryption in Practice for SMBs

Device encryption: Enable BitLocker (Windows) or FileVault (macOS) on all laptops and workstations. If a device is stolen, data remains protected.

Cloud storage: Most major cloud providers (AWS S3, Google Cloud, Azure Blob) encrypt data at rest by default. Verify this is enabled.

Email encryption: For highly sensitive communications, use end-to-end encrypted email or secure file transfer rather than standard email.

Database encryption: Use transparent data encryption (TDE) for databases containing customer or sensitive business data.

Password storage: Passwords must never be stored in plaintext — always use a strong hashing algorithm (bcrypt, Argon2, scrypt).

What Encryption Does Not Do

Encryption protects data from unauthorised access to storage or transmission — but it does not protect against an authorised user with a valid key misusing data, or an attacker who has already compromised a decryption key. Access controls and monitoring are equally important.

Related Terms

Data ClassificationData ProtectionZero Trust ArchitectureMulti-Factor Authentication (MFA)
← Back to Security Glossary