Encryption Explained: At Rest, In Transit & End-To-End Encryption

The practice of encryption can be traced back to history as far as 4,000 years ago! Today, most wireless communications and service providers offer end-to-end encryption as people are increasingly privacy aware.

In this article, we will take a deeper look into encryption, particularly what it means to have encryption at rest, encryption transit and end-to-end encryption.

What is encryption & how does it work?

Encryption is the practice of encoding an original message (plaintext) into an unintelligible form (ciphertext). The process uses mathematical algorithms with cryptographic functions to transform plaintext into ciphertext.

The plaintext undergoes a mathematical computation with a random key (in practice, it’s pseudo-random) is generated algorithmically. This process is called encryption. The output is a ciphertext that is reverse transformable, which means that it can be converted back to its original form using the required random key and the inverse mathematical computation. This process is called decryption.

(Explore common data encryption types, algorithms and best practices.)

Simple encryption vs. decryption example

As a simple example, consider a plaintext of numbers that is multiplied (a mathematical operation) by a random number (key). The resulting ciphertext is entirely different from the plaintext, known as an encrypted plaintext or ciphertext. To obtain the original plaintext from the ciphertext, we perform the inverse mathematical operation — division — on the ciphertext using the same random number (key). This operation returns the original text and is called the decryption process.

Realistic example

In practice, the mathematical operations and algorithms that generate pseudo-random keys are far more complex. Without the knowledge of the true algorithm and using pseudo-random keys, the encrypted ciphertext cannot be decrypted by using any efficient means or practically viable computing resources.

Consider the cryptosystems commonly used to generate these keys as part of the encryption process today. For instance, it will take a classical computer over 300 trillion years to crack a key generated by the RSA-2048 cryptographic algorithm. So, today at least, that algorithm is commonly used to encrypt email communications and digital signature verifications when logging in to sensitive online services such as financial and healthcare.

Though a powerful enough quantum computer is still a few years away, experts point out that we must begin preparing for quantum encryption now.

(Understand homomorphic encryption, an emerging technique.)

Brief history of encryption

In ancient Egypt, over four millennia ago, humans used unusual hieroglyphs to obscure text carvings on cave walls to obscure the original meaning of the scripts. Up until the early 20th century, encryption schemes were mostly adopted by kings, generals and government officials who wanted to limit the eyeballs who could see their official communiques.

With the advent of wireless communications, the first generation of encryption schemes were adopted for mass communication. Like many technologies, it originated when military personnel and businesses began using wireless technologies, like the Enigma machine during the World Wars. By the early 1960s when wireless communication technologies gained traction among the general public, in telecommunications and computer networking systems, business organizations adopted encryption to secure data at rest and in transit.

Today in the 2020s, many wireless communications and service providers offer end-to-end encryption. It’s even becoming an attack strategy — bad actors can use ransomware to encrypt data and systems from victims. Recent research from SURGe answers the question: “How long do you have until ransomware encrypts your systems?”

Answer: Faster than you think.

Encryption at rest vs. in transit vs. end-to-end Encryption

As history shows, there are a variety of encryption schemes. Each offers varied levels of security and implementation complexity. But where should you use them — for the data stored in your servers? Data transmitted over the internet…or both?

  • Encryption at Rest refers to the encryption applied to the stored data. Encryption may be implemented at the source, where data is generated and stored at the origin.
  • Encryption in Transit refers to encrypting data that is transferred between two nodes of the network. The data may be stored in an unencrypted form at the source and destination storage systems. For the latter, the data will be decrypted and transformed into the original plaintext.
  • End-to-End Encryption refers to the combination of the encryption at rest and encryption in transit. When the data is generated at the source, it is already stored in an encrypted form. Only the encrypted data is sent to the destination, where users with the corresponding description keys can convert the ciphertext to plaintext in order to view the original information.

Choosing your encryption strategy

Which encryption strategy should you choose for the data workloads and traffic within your corporate network? Historically, the purpose of encryption schemes has been limited to ensure data integrity. In order to achieve these goals, encryption at rest and encryption in transit may suffice depending on the security risk exposure facing your storage servers and transmission network, respectively.

In the modern digital era, online communications involve complex interactions with entities that may be mutually distrusting in nature — think e-voting, e-auctions and online banking transactions. These interactions must be secured while in process in addition to the data that is used and generated at the source. This is where end-to-end encryption serves particularly well to secure the entire online experience.

And with the increasing awareness of end-user privacy and how advertising companies exploit personally identifiable information, most Internet companies have found end-to-end encryption as a viable means to regain the trust of end-users who share sensitive information online.

Related reading

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.

Muhammad Raza
Posted by

Muhammad Raza

Muhammad Raza is a technology writer who specializes in cybersecurity, software development and machine learning and AI.