Last Updated: November 21, 2025
Encryption Types
| Type | How It Works | Use Case | Example |
|---|---|---|---|
| Symmetric | Same key encrypts and decrypts | Fast encryption of large data | AES, ChaCha20 |
| Asymmetric | Public key encrypts, private key decrypts | Secure key exchange, digital signatures | RSA, ECC |
| Hybrid | Asymmetric for key, symmetric for data | TLS/SSL, PGP email | RSA + AES |
| Hashing | One-way function (not reversible) | Password storage, integrity verification | SHA-256, bcrypt |
| End-to-End (E2E) | Only sender and receiver can decrypt | Messaging apps, secure communication | Signal Protocol |
Common Encryption Algorithms
| Algorithm | Type | Key Size | Status |
|---|---|---|---|
| AES (Advanced Encryption Standard) | Symmetric | 128, 192, 256-bit | Industry standard, very secure |
| ChaCha20 | Symmetric | 256-bit | Modern, fast on mobile |
| RSA | Asymmetric | 2048, 3072, 4096-bit | Widely used, slower |
| ECC (Elliptic Curve) | Asymmetric | 256, 384, 521-bit | Smaller keys, same security |
| DES/3DES | Symmetric | 56-bit (DES), 168-bit (3DES) | Deprecated - insecure |
| Blowfish | Symmetric | 32-448 bit | Older, use AES instead |
| Twofish | Symmetric | 128, 192, 256-bit | Good alternative to AES |
Hash Functions
| Algorithm | Output Size | Use Case | Security |
|---|---|---|---|
| SHA-256 | 256-bit | File integrity, certificates | Secure |
| SHA-512 | 512-bit | High security applications | Very secure |
| SHA-3 | Variable | Next-gen standard | Most secure |
| bcrypt | 192-bit | Password hashing (slow by design) | Recommended for passwords |
| scrypt | Variable | Password hashing (memory-hard) | Very secure for passwords |
| Argon2 | Variable | Password hashing (winner PHC) | Best for passwords |
| MD5 | 128-bit | Checksums only | Broken - avoid for security |
| SHA-1 | 160-bit | Legacy systems | Deprecated - vulnerable |
OpenSSL Commands
openssl version
Check OpenSSL version
openssl enc -aes-256-cbc -in file.txt -out file.enc
Encrypt file with AES-256
openssl enc -aes-256-cbc -d -in file.enc -out file.txt
Decrypt AES-256 encrypted file
openssl genrsa -out private.key 4096
Generate 4096-bit RSA private key
openssl rsa -in private.key -pubout -out public.key
Extract public key from private key
openssl rsautl -encrypt -pubin -inkey public.key -in file.txt -out file.enc
Encrypt with RSA public key
openssl rsautl -decrypt -inkey private.key -in file.enc -out file.txt
Decrypt with RSA private key
openssl dgst -sha256 file.txt
Generate SHA-256 hash of file
openssl rand -base64 32
Generate random 32-byte password
openssl req -new -x509 -days 365 -key private.key -out cert.crt
Create self-signed certificate
GPG/PGP Commands
gpg --gen-key
Generate new key pair
gpg --list-keys
List all public keys
gpg --list-secret-keys
List all private keys
gpg --encrypt --recipient user@email.com file.txt
Encrypt file for recipient
gpg --decrypt file.txt.gpg > file.txt
Decrypt file
gpg --sign file.txt
Create digital signature
gpg --verify file.txt.sig
Verify signature
gpg --export -a "User Name" > public.key
Export public key
gpg --import public.key
Import public key
gpg --symmetric file.txt
Symmetric encryption (password-based)
Encryption Tools Comparison
| Tool | Platform | Type | Best For |
|---|---|---|---|
| VeraCrypt | Windows, macOS, Linux | Full disk/container | Local file/drive encryption |
| BitLocker | Windows Pro/Enterprise | Full disk | Windows system encryption |
| FileVault | macOS | Full disk | Mac system encryption |
| LUKS | Linux | Full disk | Linux system encryption |
| Cryptomator | All platforms | Cloud files | Encrypt cloud storage |
| GPG/PGP | All platforms | File/email | Email encryption, signing |
| 7-Zip | All platforms | Archive | Encrypted zip files |
| age | All platforms | File | Simple modern encryption |
TLS/SSL Certificate Commands
openssl s_client -connect example.com:443
Test SSL/TLS connection
openssl x509 -in cert.pem -text -noout
View certificate details
openssl x509 -enddate -noout -in cert.pem
Check certificate expiration
openssl verify cert.pem
Verify certificate chain
openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem
Convert to PKCS#12 format
Encryption Best Practices
Use AES-256 for symmetric encryption
Industry standard, NSA Suite B approved
Use RSA 4096-bit or ECC 256-bit minimum
For asymmetric encryption and signing
Use bcrypt, scrypt, or Argon2 for passwords
Slow hash functions resist brute force
Never roll your own crypto
Use established libraries and algorithms
Use authenticated encryption (AES-GCM, ChaCha20-Poly1305)
Prevents tampering, provides integrity
Generate truly random keys/IVs
Use /dev/urandom or crypto.getRandomValues()
Protect private keys with passphrases
Additional layer of security
Rotate keys periodically
Limit exposure from key compromise
Use different keys for different purposes
Separate signing keys from encryption keys
Implement perfect forward secrecy (PFS)
Past sessions safe if key compromised
Common Encryption Modes
| Mode | Characteristics | Use Case | Security |
|---|---|---|---|
| ECB (Electronic Codebook) | Each block encrypted independently | None - avoid! | Insecure - patterns visible |
| CBC (Cipher Block Chaining) | Each block XORed with previous | File encryption (with HMAC) | Good with proper IV |
| CTR (Counter) | Block cipher as stream cipher | Disk encryption, parallelizable | Good with unique nonce |
| GCM (Galois/Counter Mode) | CTR with authentication | TLS, secure protocols | Excellent - authenticated |
| XTS (XEX-based Tweaked) | For disk encryption | Full disk encryption | Good for storage |
Key Management
Store keys separately from encrypted data
Never keep them in same location
Use hardware security modules (HSMs)
For high-security key storage
Use key derivation functions (KDFs)
Derive keys from passwords (PBKDF2, Argon2)
Implement key escrow for recovery
Balance security with data recovery needs
Use key management systems (KMS)
AWS KMS, Azure Key Vault, HashiCorp Vault
Backup encryption keys securely
Encrypted backups in separate locations
Implement key lifecycle management
Generation, distribution, rotation, destruction
Encryption Vulnerabilities to Avoid
| Vulnerability | Problem | Solution |
|---|---|---|
| Weak keys | Easily brute-forced | Use minimum key sizes (AES-256, RSA-4096) |
| Reused IVs/nonces | Exposes patterns | Always generate unique random IVs |
| Unauthenticated encryption | Vulnerable to tampering | Use AEAD modes (GCM, ChaCha20-Poly1305) |
| Timing attacks | Reveals information via time | Use constant-time comparisons |
| Padding oracle attacks | Error messages leak info | Use authenticated encryption, generic errors |
| Weak random number generation | Predictable keys/IVs | Use cryptographically secure RNG |
Compliance Standards
FIPS 140-2/140-3
Federal encryption standard (US government)
PCI DSS
Payment card data encryption requirements
HIPAA
Healthcare data encryption standards
GDPR
EU data protection including encryption
SOC 2
Security controls including encryption
💡 Pro Tip:
For most use cases, use AES-256-GCM for data encryption and RSA-4096 or ECC (Curve25519) for key exchange. Always use authenticated encryption to prevent tampering. Never reuse IVs/nonces, and store encryption keys separately from encrypted data. For passwords, use Argon2id with appropriate cost parameters. Remember: encryption is only as strong as your key management!