To better understand encryption it is first necessary to consider the security of data in a state of transit and at rest. Generally, data in transit is secure when TLS is used (in https, for example) to send data from A to B. In this scenario machines negotiate a secret encryption key between themselves and one-time keys are used only for that specific transmission. No person retains the key, which helps to keep the data secure.
When storing data in the long-term (data at rest), however, it is necessary to use a different type of encryption system; one which requires a secret key to decrypt the data. This is where users might encrypt but do so without achieving much security.
The different types of encryption
The goal of encryption is to stop a security breach from becoming a data breach. It is designed to be an extra level of protection when there are privilege access-level breaches or accidental misconfigurations.
To demonstrate why some forms of encryption offer better data security than others, let’s consider each type in turn:
Client-side encryption – users encrypt their own data, with their own key.
Server-side encryption with server held keys – users give regular (unencrypted) data to their cloud provider, with the latter encrypting it at their end. Users never see an encryption key and it’s totally out of their hands.
Server-side encryption with client held keys – users hold their own key but the server will encrypt/decrypt on their behalf.
The type of encryption chosen can make a huge difference to the level of security provided (see figure 1).