The Basics of Data Encryption: How it Works and Why You May Need It

Even if you don’t count yourself among the paranoid or have no problem with some prying eyes wandering through your collection of funny GIFs, nice photos of your dog at walk or raging complaint letters to an online store you wrote last week, consider that any of the electronic devices you own may contain some sensitive data you’d better kept under wraps, like login information for various websites, banking details or financial documents, corporate files, browsing history and on and on. In fact, there are various methods aimed at concealing your digital secrets from nasty snoopers out there, that’s why it’s quite easy to get confused, especially if you’re not a techie. No doubt, you’ve already come across the term encryption, which has become one the hottest topics in the past few years, but what does it actually mean? Does this protection technology deserve your attention or is it for geeks only? Are there any pitfalls?

Encryption can be simple or extremely complex, but the concept itself is pretty straightforward: a special algorithm paired with a secret key is used to transform information stored on the disk or transmitted over the network into some gibberish code, ensuring that even if someone gains unauthorized access to your data, they’ll come to nothing, being simply unable to read it. As a rule, such data is referred to as ciphertext, and to make it readable again one needs to know the correct key. Although theoretically it is possible to break encryption by guessing the secret key, in reality, this could take ages, especially when complicated ciphering is applied.

In general, there are two major types of data to be encrypted: in transit and at rest. Data in transit is traveling from one device to another or via a network, like emails, messenger app conversations, online banking transactions, etc. For example, when you buy something on eBay, your address and the payment information you enter get encrypted so that no one could steal your identity and use it to commit a crime. In contrast, data at rest is not moving anywhere, it is just sitting on the hard drive of your PC or any external device like a USB stick. You can lock the entire storage or choose to protect some separate files you don’t want anyone to open. Thus, we can distinguish two forms of encryption: full disk encryption and file encryption.

Full disk encryption protects the entire system, automatically encrypting any file saved to the drive, whether it is created by the user or by the OS. To access it a special “authentication device” is required, like a password, token or smart card, which lets the system retrieve the encryption key and decrypt the storage. However, after you have logged into the system, every piece of data becomes vulnerable again as anyone can access it if you leave your computer unattended.

With file encryption, it’s up to you to decide which data will be encrypted (documents, databases, presentations, etc. or even whole folders and subfolders) and it will remain safe even after you’ve completed the authorization procedure. Still, application software, such as Microsoft Office Word or a web browser, may create temporary files or file copies which won’t be encrypted at all and can be retrieved if one has a strong determination to do so.

What’s more, there are two principal types of encryption algorithms you can choose from:

Private-key algorithms. Those are also called secret-key or symmetric. This technology is the simplest of two approaches as it uses the same key for encryption and decryption. For instance, a sender applies a certain key to encode a message while a receiver uses that key to decode it. Symmetric keys are implemented in such modern algorithms as AES (Advanced Encryption Standard), Blowfish, Twofish, LUKS, Serpent, DES (Data Encryption Standard), etc.

Public-key algorithms are also known as asymmetric. Such an algorithm is more intricate as it employs two different but mathematically related encryption keys: the first one is available to everybody and is used to lock the data (public key) and the second one — which is kept somewhere safe by the receiver — to unlock it (private key). Any information encrypted with the help of a certain public key can be decrypted only by its corresponding private key. The main perk here is that one doesn’t have to pass the secret key to other people and worry that it may get into the wrong hands, which makes it perfect for secure information exchange. However, the complexity of this method requires more processing power, so it doesn’t always make sense to use it for encrypting data at rest. Among the algorithms relying on this approach are RSA (Rivest–Shamir–Adleman), Diffie-Hellman, ECC (Elliptic-curve cryptography), El Gamal, DSA (Digital Signature Algorithm) and others.

In the main, encryption is the most effective way to prevent unwanted people from accessing your files in the cases when your computer gets stolen or lost, but even this technology is not absolutely foolproof. First of all, it totally relies on encryption keys, so security of your data hinges upon the safety of the encryption key. Failures within the system may result in the loss of encryption key. Lose it and you can instantly wave goodbye to your files as the data will remain encrypted and therefore inaccessible. Also, this significantly complicates the process of data recovery or can even make it impossible. Though some tools like the Pro edition of Recovery Explorer can restore the key and decrypt the data, if given the password information, in case an encrypted drive is damaged to the point when it cannot be mounted, any attempt to recover it will give no result.

Moreover, in case of full disk encryption, you may get a slowdown of disk reading and writing operations which can vary from nothing up to 30%. Also, it will fail to protect your files when you leave your PC turned on while file encryption is simply worthless if you have a password which is easy to guess.

As you can see, encryption is not without fault, so you shouldn’t be led on by a false sense of security, but it’s much better than leaving your files unveiled as most attackers probably won’t consider the game worth the candle and will pick out another target.