Lesson 7	Applied encryption processes
Objective	Describe how modern encryption is applied to protect data in motion and at rest, and how to operationalize it safely.

Application of Encryption to Security

Encryption underpins confidentiality, integrity, authenticity, and non-repudiation across today’s systems. In practice, it is a composition of symmetric cryptography for performance, asymmetric cryptography for identity and key exchange, and hash-based primitives for integrity.

What strong encryption solves

Confidentiality: Prevent passive eavesdropping (AES-GCM or ChaCha20-Poly1305).
Integrity: Detect tampering (AEAD tags, HMAC with SHA-256/512).
Authenticity: Prove who you’re talking to (X.509 certs, TLS server auth, mTLS for client auth).
Non-repudiation: Signatures with private keys (RSA-PSS, ECDSA P-256, or Ed25519).

Modern building blocks

Symmetric ciphers: AES-GCM (128/256) or ChaCha20-Poly1305.
Hashes/KDFs: SHA-256/512; HKDF/ PBKDF2/ Argon2 for key derivation.
Asymmetric: RSA-2048+ (prefer 3072) or elliptic curves (P-256/Ed25519).
Certificates & PKI: X.509 with CA trust, short lifetimes, OCSP stapling.

Data in transit (TLS 1.3 & HTTPS)

Use TLS 1.3 for web and service traffic. SSLv2/3 and S-HTTP are obsolete. Prefer modern cipher suites (AEAD) with perfect forward secrecy, enable HSTS, and consider mutual TLS for service-to-service auth. Default HTTPS on TCP 443; validate certificates and hostname, and pin where appropriate.

Data at rest

System level: Full-disk encryption (BitLocker, LUKS/FileVault).
Database: Transparent Data Encryption (TDE) plus column/field encryption for high-sensitivity data.
Files/objects: File-level encryption and per-object keys in object storage.
Keys: Store and rotate in a KMS/HSM; separate duties for key admins vs data admins.

Key management

Generate keys with CSPRNGs; never hard-code.
Protect keys in KMS/HSM; restrict export; audit usage.
Distribute symmetric keys via asymmetric exchange (e.g., ECDH in TLS 1.3).
Rotate routinely and on compromise; version keys and re-encrypt as needed.

Digital signatures & certificates

Sign data (or digests) with a private key; verify with the public key to provide integrity, authenticity, and non-repudiation. Certificates bind keys to identities; automate issuance/renewal (e.g., ACME). Prefer RSA-PSS or ECDSA/Ed25519, and short-lived certs with OCSP stapling.

Email security

Content protection: S/MIME or OpenPGP for end-to-end encryption and signatures.
Transport: SMTP MTA-STS/STARTTLS for hop-to-hop encryption (not end-to-end).
Domain authentication: SPF + DKIM + DMARC (not encryption, but essential to trust).

Applied encryption processes (putting it together)

Production systems combine primitives: asymmetric exchange (ECDHE) to agree on a symmetric session key (AES-GCM/ChaCha20-Poly1305), hashed with HKDF, authenticated via a certificate, and logged with integrity controls. For data at rest, encrypt with AES-GCM using keys issued and rotated by a KMS/HSM.

Protocols & legacy cleanup

Use: TLS 1.3, SSHv2 (for remote admin), IPsec in tunnel mode for site-to-site, modern VPNs (WireGuard/IKEv2).
Avoid/replace: SSL, S-HTTP, rsh/rlogin, telnet, RC4, DES/3DES, MD5/SHA-1, export ciphers.

Create test certificates with OpenSSL

For internal labs or non-public services you can use self-signed or private-CA certs. For public sites, use a trusted CA (ACME/Let’s Encrypt).

Generate a private key:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out server.key

Create a CSR:

openssl req -new -key server.key -out server.csr -subj "/CN=www.example.com/O=Example Ltd/C=US"

Self-sign for lab use (365 days):

openssl x509 -req -in server.csr -signkey server.key -days 365 -sha256 -out server.crt

Operational checklist

Force HTTPS; enable HSTS; prefer TLS 1.3 only.
Use AEAD cipher suites and forward secrecy; disable legacy ciphers.
Centralize keys in KMS/HSM; rotate on schedule and on incident.
Encrypt sensitive data at rest; back up keys securely.
Instrument with certificate transparency, OCSP stapling, and audit trails.

Terminology refresh

Symmetric encryption: One key for encrypt/decrypt (e.g., AES-GCM).
Asymmetric encryption: Public/private keys for exchange and identity (e.g., ECDH, RSA-PSS/ECDSA).
Hash algorithms: SHA-256/512 for integrity; use HMAC for keyed integrity.
Digital signatures: Prove origin; verify integrity and provide non-repudiation.

Authentication layers (certificates, signatures, and key pairs) complement encryption to ensure that the sender and service are who they claim to be, and that messages have not been altered in transit.

Firewall Strategies - Exercise

Click the Exercise link below to review methods used to secure email.

Firewall Strategies - Exercise