What Is Encryption: A Beginner's Guide
A plain-language introduction to encryption, covering symmetric and asymmetric methods, where encryption is used, and why it matters.
Last updated Apr 7, 2026Current
Continue your mission
A plain-language introduction to encryption, covering symmetric and asymmetric methods, where encryption is used, and why it matters.
Encryption transforms readable data (plaintext) into an unreadable format (ciphertext) using a mathematical algorithm and a key. Only someone with the correct key can reverse the process (decryption) and read the original data. Without the key, the ciphertext is meaningless.
Think of it like a lockbox. You put your message inside, lock it with a key, and send the box. Anyone who intercepts it sees only a locked box. Only the person with the right key can open it.
Symmetric encryption uses the same key for both encryption and decryption. Both the sender and receiver must have a copy of the key.
AES (Advanced Encryption Standard) is the most widely used symmetric algorithm. It comes in three key sizes: AES-128, AES-192, and AES-256. AES-256 is the standard for protecting classified information. It is fast, efficient, and secure against all known practical attacks.
Symmetric encryption is computationally efficient, making it suitable for encrypting large amounts of data: hard drives, database fields, file archives, and network traffic.
The challenge with symmetric encryption is key distribution. How do you securely share the key with the other party? If you send it over the internet, someone might intercept it. This is where asymmetric encryption helps.
Asymmetric encryption uses two mathematically related keys: a public key (shared openly) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the private key, and vice versa.
RSA is the most well-known asymmetric algorithm, based on the difficulty of factoring large prime numbers. RSA keys of 2048 bits or larger are considered secure. Elliptic Curve Cryptography (ECC) achieves equivalent security with much smaller keys, making it faster and more efficient.
Asymmetric encryption is slower than symmetric, so it is typically used to encrypt small amounts of data, like exchanging a symmetric session key. This hybrid approach powers TLS/HTTPS: asymmetric crypto establishes the connection and shares a symmetric key, then symmetric crypto handles the bulk data transfer.
Encryption at rest protects stored data. Your laptop's full-disk encryption (BitLocker on Windows, FileVault on macOS) ensures that if the device is stolen, the data cannot be read without the decryption key. Databases, backups, and cloud storage should all encrypt data at rest.
Encryption in transit protects data as it travels across networks. HTTPS/TLS encrypts web traffic. VPNs encrypt all network traffic between your device and the VPN server. SSH encrypts remote administration sessions. Without encryption in transit, anyone on the same network (coffee shop Wi-Fi, compromised ISP, man-in-the-middle attacker) can read your data.
End-to-end encryption (E2EE) ensures that only the communicating parties can read the messages. The service provider cannot decrypt the content, even if compelled by law enforcement. Signal, WhatsApp, and iMessage use E2EE for messaging. ProtonMail uses it for email.
E2EE provides the strongest privacy guarantees but limits the service provider's ability to scan for malicious content or provide account recovery if you lose your keys.
Encrypting but not managing keys properly. Encryption is only as strong as key management. If keys are stored alongside the encrypted data, or hardcoded in application source code, encryption provides no real protection.
Using outdated algorithms. DES (56-bit key) was broken decades ago. 3DES is deprecated. RC4 has known biases. Use AES for symmetric encryption and RSA-2048+ or ECC for asymmetric.
Confusing encoding with encryption. Base64 is encoding (reversible by anyone). It provides no security. Hashing is one-way (not reversible). Encryption is two-way (reversible with the key). These are different tools for different purposes.
Not encrypting backups. Organizations encrypt their databases but leave backups unencrypted. If an attacker accesses your backup storage, they get all the data without needing to defeat the database's encryption.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.