Encryption software is software that uses cryptography to prevent unauthorized access to digital information. Practically speaking, people use cryptography today to protect the digital information on their computers as well as the digital information that is sent to other computers over the Internet. As software that implements secure cryptography is complex to develop and difficult to get right, most computer users make use of the encryption software that already exists rather than writing their own.
As encryption software is an important component in providing protection from cybercrime, there are many, many software products that provide encryption. Because there are so many software products that provide encryption, a good way to begin understanding this topic is classification by categorization.
Software encryption uses a cipher to obscure the content into ciphertext, so one way to classify this type of software is by the type of cipher used. Ciphers can be categorized into two categories: public key ciphers, also known as asymmetric ciphers, and symmetric key ciphers. Thus, encryption software may be said to based on public key or symmetric key encryption.
Another way to classify software encryption is to categorize its purpose. Using this approach, software encryption may be classified into software that encrypts "data in transit" and software that encrypts "data at rest".
As it turns out, these two types of classifications has something in common: that is, data in transit generally uses public key ciphers, and data at rest generally uses symmetric key ciphers.
However, software encryption is not as simple at that.
To begin with, symmetric key ciphers can be further subdivided into stream ciphers and block ciphers. Stream ciphers typically encrypt plaintext a bit or byte at a time, and are most commonly used to encrypt real-time communications, such as audio and video information. The key is used to establish the initial state of a keystream generator, and the output of that generator is used to encrypt the plaintext. Block cipher algorithms split the plaintext into fixed-size blocks and encrypt one block at a time. For example, AES processes 16-byte blocks, while its predecessor DES encrypted blocks of eight bytes.
Also, there is also a well-known case where PKI is used for data in transit of data at rest.
Data in transit
Data in transit is data that is being sent over a network. When the data is between two endpoints, any confidential information may be vulnerable to snooping. To maintain the confidentiality of the transmission, the payload (confidential information) can be encrypted to protect its confidentiality, as well as its integrity and non-repudiation.
Often, the data in transit is between two entities that do not know each other - such as visiting a website. As establishing a relationship and securely sharing an encryption key to secure the information that will be exchanged, a set of roles, policies, and procedures to accomplish this has been developed; it is known as the public key infrastructure, or PKI. Once PKI has established a secure connection, a symmetric key can be shared between endpoints. A symmetric key is preferred to over the private and public keys as a symmetric cipher is much more efficient (uses less CPU cycles) than an asymmetric cipher.
For data in transit
Below are some examples of software that provide this type of encryption.
- IP Security - IPsec
- Secure Copy - SCP
- Secure Email
- Secure Shell - SSH
- SSH File Transfer Protocol - SFTP
- Web Communication - HTTPS
Data at rest
Data at rest refers data that has been saved to persistent storage. Generally speaking, data at rest is encrypted by a symmetric key.
As mentioned previously, there are many, many software products that provide encryption. This Wikipedia article lists and compares the these software products by providing several tables that demonstrate their features. While these products are all listed under "disk" encryption, this may be a bit misleading.
In looking at this table that compares whether the encryption software works at the disk, partition, file, etc. layer, there just doesn't seem to be enough room to capture all the options. That's because encryption may be applied at different layers in the storage stack. For example, encryption can be configured at the disk layer, on a subset of a disk called a partition, on a volume, which is a combination of disks or partitions, at the layer of a file system, or within userland applications such as database or other applications that run on the host operating system.
With full disk encryption, the entire disk is encrypted (except for the bits necessary to boot or access the disk when not using an unencrypted boot/preboot partition). As disks can be partioned into multiple partitions, partition encryption can be used to encrypt individual disk partitions. Volumes, created by combinining two or more partitions, can be encrypted using volume encryption. File systems, also composed of one or more partitions, can be encrypted using file system encryption. Directories are referred to as encrypted when the files within the directory are encrypted. File encryption encrypts a single file. Database encryption acts on the data to be stored, accepting unencrypted information and writing that information to persistent storage only after it has encrypted the data. Device-level encryption, a somewhat vague term that includes encryption-capable tape drives, can be used to offload the encryption tasks from the CPU.
For data at rest
As demonstrated by this Wikipedia article there are a large number of encryption software products in this space. For that reason it does not seem prudent to attempt to capture all of that information in this article. Instead, it is recommended to look into one or more of these articles.
- Disk Encryption
- Partition Encryption via this article
- Volume Encryption via this article
- Filesystem Encryption
- File and Directory Encryption
- Database Encryption
Transit of data at rest
When there is a need to securely transmit data at rest, without the ability to create a secure connection, userland tools have been developed that support this need. These tools rely upon the receiver publishing their public key, and the sender being able to obtain that public key. The sender is then able to create a symmetric key to encrypt the information, and then use the receivers public key to securely protect the transmission of the information and the symmetric key. This allows secure transmission of information from one party to another.
For the transit of data at rest
Below are some examples of software that provide this type of encryption.
- Cryptographic Protocol
- Public Key (Asymmetric) Algorithms
- Symmetric Algorithms
- Transport Layer Security
- Thakur, Dinesh. "Cryptography - What is Cryptography?".
- "What is encryption? - Definition from WhatIs.com". SearchSecurity. Retrieved 25 April 2017.
- "Why We Encrypt - Schneier on Security".
- "Cryptography Is Harder Than It Looks - Schneier on Security".
- "Guide to Cryptography - OWASP".
- Villanueva, John Carl. "Symmetric vs Asymmetric Encryption".
- "Symmetric vs. Asymmetric Encryption - CipherCloud". 4 October 2013.
- "How Whole Disk Encrypytion Works" (PDF).
- "How to encrypt a single partition in Linux - TechRepublic".
- https://www.jetico.com/web_help/bcve3_enterprise/html/01_introduction/02_what_is_ve.htm Volume Encryption
- "How IT Works: Encrypting File System".
- "PDS Software Solutions LLC".