Client-side vs server-side encryption – who holds the key?

May 14, 2018 // By Linus Chang
With data breaches in the news on an almost weekly basis, there’s never been a better time for organisations to look at mitigation strategies. Encryption is one such strategy, although, if not implemented well, it will not necessarily lead to good security. Here, we aim to debunk some widespread misconceptions about this frequently debated cryptographic process.

To better understand encryption it is first necessary to consider the security of data in a state of transit and at rest. Generally, data in transit is secure when TLS is used (in https, for example) to send data from A to B. In this scenario machines negotiate a secret encryption key between themselves and one-time keys are used only for that specific transmission. No person retains the key, which helps to keep the data secure.

When storing data in the long-term (data at rest), however, it is necessary to use a different type of encryption system; one which requires a secret key to decrypt the data. This is where users might encrypt but do so without achieving much security.


The different types of encryption

The goal of encryption is to stop a security breach from becoming a data breach. It is designed to be an extra level of protection when there are privilege access-level breaches or accidental misconfigurations.

Fig. 1: The type of encryption chosen can make a
huge difference to the level of security provided.

To demonstrate why some forms of encryption offer better data security than others, let’s consider each type in turn:

  • Client-side encryption – users encrypt their own data, with their own key.

  • Server-side encryption with server held keys – users give regular (unencrypted) data to their cloud provider, with the latter encrypting it at their end. Users never see an encryption key and it’s totally out of their hands.

  • Server-side encryption with client held keys – users hold their own key but the server will encrypt/decrypt on their behalf.

The type of encryption chosen can make a huge difference to the level of security provided (see figure 1).

Design category: