Data Encryption 101: The Quick Guide to Data Encryption Best Practices
You hear all the time about how important it is to encrypt data. But what does encryption actually mean? Which best practices should you follow when encrypting your data? Which tools are available for data encryption?
Keep reading for answers to these pressing data encryption questions.
What is data encryption?
Put simply, data encryption is a process that changes data from its original format into a new format. To translate it back, you typically need a special encryption key or code.
A very simple data encryption example involves taking every letter in a word and changing it to the letter that follows it in the alphabet, so that the word “dog” becomes “eqh,” for instance. In this case, the encryption key to unlock the encrypted data would be code that switches the letters back by moving them one place lower in the alphabet.
Obviously, it would not be very difficult in the example above for someone to guess how your encryption scheme works and reverse-engineer your encryption key.
But if your process for encrypting your data were much more complicated – if, for example, you used a complex set of rules to move letters around, inserted random data in various places and converted the letters differently depending on where they are located as well as which letters they are – you would end up with encrypted data that would be much harder for someone to decrypt unless they had an encryption key that could reverse your encryption process.
What is an encryption key?
An encryption key is used both to translate data into a scrambled, unreadable form, and to transfer it back.
There are different types of encryption keys and different ways to use them. If you use symmetric keys, you use the same key for both encrypting and decrypting data. Asymmetric encryption uses different keys for the encryption and decryption processes.
Which data can you encrypt?
Although not all data is the same, virtually all data can be encrypted. You can encrypt data while it is “at rest,” which means it is stored in a static location like a disk. You can also encrypt data “in motion,” such as when it is being transferred over the network. You can encrypt data on any type of operating system. You can encrypt data stored in file systems, as well as data stored on block data. You can encrypt data stored directly on a bare-metal server, as well as data in a virtual machine or on a virtual disk.
There are certain types of data that you would probably not want to encrypt, such as the data stored in /proc on a Linux server. This type of data should be secured in other ways (such as via file-level access control, in the case of /proc).
Read our eBook
IBM i Encryption 101
This eBook provides an introduction to encryption, including best practices for IBM i encryption.
Popular data encryption algorithms
The specific process that you use to encrypt and decrypt data is called an algorithm. Dozens of different encryption algorithms have been widely used in the last several decades, but the leading ones today include:
- Triple DES
Although all of these data encryption algorithms can encrypt data in ways that meet most modern standards, they are not created equal. Some are better at encrypting certain types of data than others. They can also perform differently on different types of infrastructure; some algorithms might be faster if you have lots of memory but less CPU power, for instance, whereas others do better in CPU-rich environments. It is, therefore, a good idea to experiment with different encryption algorithms in order to see which ones best serve your needs.
Data encryption tools
Most encryption algorithms can be implemented by many different tools. In other words, there is no single, specific program you have to use if you want to encrypt data using, say, the AES algorithm. You can choose from lots of different implementations, depending on which operating system you use.
Like the different encryption algorithms, some encryption tools might be faster than others, and some are better at encrypting or decrypting certain types of data. Some excel at encrypting small volumes of data but are not as effective with large amounts of data, or vice versa. This means that when it comes to selecting specific encryption tools, you should also experiment with at least a few to see which ones best meet your needs.
Data encryption best practices
A complete guide to data encryption is beyond the scope of this 101-level article, but in general, the following principles are good to follow if you want to encrypt data securely and efficiently:
- Keep your encryption key secure! This should be exceedingly obvious, but it can be easy to make mistakes that allow unauthorized parties to access your data. For example, if you leave your encryption key in an unencrypted file on your PC, there is a good chance that someone could find it and wreak havoc. A few solutions could be to: separate the keys from the data, separate the duties and access limits of users, and rotate your keys on a schedule.
- Encrypt all types of sensitive data, no matter where they are stored or how unlikely you think someone is to find them. This should also be blatantly obvious, but if you follow IT security headlines, you know that lots of big-name companies have been breached simply because they left important data unencrypted and someone gained access to it. By encrypting your data, you make it much harder for someone who is able to breach your systems to do something bad.
- Assess data encryption performance. Effective data encryption entails not just making your data unreadable to unauthorized parties, but doing so in a way that uses resources efficiently. If it is taking too long or consuming too much CPU time and memory to encrypt your data, consider switching to a different algorithm or experimenting with settings in your data encryption tools.
For information on encryption for IBM i, read our eBook: IBM i Encryption 101