Skip to main content
Surveillance
Self-Defense

< Basics

What Should I Know About Encryption?

Last Reviewed: January 01, 2025

Perhaps you've heard the word “encryption ” used, but in so many different contexts it’s gotten confusing. You might have seen it referring to everything from protecting your laptop, chat app security, or guarding your shopping online. Regardless of when it’s used, when we talk about encryption, we’re referring to the same thing: the mathematical process of making a message unreadable except to a person who has the “key ” to “decrypt ” it. From there, it gets more complicated.

People have used encryption to send messages to each other that (hopefully) couldn’t be read by anyone besides the intended recipient. Today, we have computers that are capable of performing encryption for us. Digital encryption technology has expanded beyond simple secret messages, and these days you can use encryption for more elaborate purposes, like not just hiding the content of messages from prying eyes, but also verifying the author of those messages.

Encryption is the best technology we have to protect information from bad actors, governments, and service providers. When used correctly it is virtually impossible to break.

In this guide, we’ll look at two major ways encryption is applied: to scramble data at rest and data in transit.

Encrypting Data At Rest

Data “at rest” is data that is stored somewhere, like on a mobile device, laptop, server, or external hard drive. When data is at rest, it is not moving from one place to another.

One example of a form of encryption that protects data at rest is “full-disk” encryption (also sometimes called “device encryption”). Enabling full-disk encryption encrypts all the information stored on a device and protects the information with a passphrase or another authentication method. On a mobile device or laptop, this usually looks like a device lock screen, requiring a passcode, passphrase, or thumbprint. However, locking your device (i.e., requiring a password to “unlock” your device) does not always mean that full-disk encryption is enabled.

             

A smart phone and laptop that each have a password-protected “lock” screen.

Be sure to check how your operating system enables and manages full-disk encryption. While some operating systems have full-disk encryption enabled by default, some operating systems do not. That means someone could access the data on your device by bypassing device lock and accessing the hard drive directly, without needing to break the encryption key since the device itself is not encrypted. Some systems store unencrypted plaintext in RAM, even when you are using full-disk encryption. RAM is temporary storage, which means that after your device is powered down the memory typically can't be read, but a sophisticated adversary could attempt a cold boot attack and conceivably retrieve the RAM contents.

Full-disk encryption can protect your devices from people who have physical access to them. This is useful if you want to protect your data from roommates, coworkers or employers, school officials, family members, partners, police officers, or other law enforcement officials. It also protects the data on your devices if they are stolen or lost, like if you accidentally leave your phone on a bus or at a restaurant.

There are other ways to encrypt data at rest. One option, known as “file encryption,” encrypts only individual files on a computer or other storage device. Another option is “drive encryption” (also known as “disk encryption”) which encrypts all of the data on a specific storage area on a device.

You can use these different types of encryption at rest in combination. For example, let’s say you wanted to protect sensitive information on your medical documents. You can use file encryption to encrypt an individual medical file stored on your device. You can then use drive encryption to encrypt the part of your device that this medical information is stored on. Finally, if you have enabled full-disk encryption on your device, everything—all medical information as well as every other file on the drive, including the files for the computer’s operating system—is encrypted. So, even if someone figured out your computer’s login password, they would still need to also know the password you used to encrypt the file with your medical information before they could access it.

Check out our guides for enabling full-disk encryption on your computer, and iPhone or Android.

Encrypting Data In Transit