Encryption

Encryption refers to the conversion of plaintext into ciphertext using cryptographic algorithms and secret keys. Only those who hold the matching key can decrypt the data and make it legible again. A distinction is drawn between symmetric encryption, where the same key is used to encrypt and decrypt (for example AES), and asymmetric encryption, which relies on a key pair consisting of a public and a private key (for example RSA or ECC). In practice both methods are often combined: an asymmetrically exchanged session key then secures the actual data encryption symmetrically.

Information security distinguishes two central use cases: the encryption of data at rest, for instance on hard drives, in databases or in backups, and the encryption of data in transit, for instance via TLS during communication between systems. Encryption primarily safeguards the protection goal of confidentiality, but in combination with techniques such as digital signatures and message authentication codes it also supports integrity and authenticity. Beyond choosing strong, recognised algorithms, the decisive factor for its effectiveness is robust key management, which governs the generation, storage, rotation and destruction of keys across their entire lifecycle.

From a regulatory perspective, encryption is a central technical and organisational measure. The NIS2 Directive explicitly names policies and procedures regarding the use of cryptography and, where appropriate, encryption in Art. 21(2)(h) as part of the risk management of essential and important entities. The GDPR likewise cites encryption in Art. 32(1)(a) as an example of an appropriate measure to ensure the security of processing; effective encryption can also remove the obligation to notify data subjects of a breach under Art. 34(3)(a). The German BSI IT-Grundschutz specifies the requirements in module CON.1 Crypto Concept and provides guidance for a verifiable cryptographic concept.