Encryption
Definition
Transforming data so that only parties with the key can read it. Two orthogonal axes:
- At rest vs in transit
- Symmetric (AES) vs asymmetric (RSA, ECC)
Modern systems use envelope encryption: data encrypted with a symmetric data key, data key encrypted with an asymmetric KMS key.
Where it appears
🌐 Networking
- TLS — ubiquitous L7 encryption in transit
- IPsec — L3 encryption (site-to-site VPN)
- WireGuard — modern VPN using Noise framework
- MACsec — L2 encryption
🐧 Linux
- LUKS / dm-crypt — full-disk encryption
- eCryptfs / fscrypt — per-directory
- GPG — file-level
☁️ Cloud
- AWS KMS / Azure Key Vault — managed encryption keys (envelope encryption)
- S3/EBS/Blob encryption — at rest, usually on by default
- TLS on ALB/App Gateway — termination or passthrough
📦 Containers
- mTLS in service mesh — Istio, Linkerd
- Encrypted secrets — sealed-secrets, SOPS, external secrets operator
🔐 Cybersecurity
- PKI — certificate authorities, CRL/OCSP
- Hash vs encryption — hashing is one-way (passwords), encryption is reversible