3.1 Encryption fundamentals
Understanding before trusting
Encryption is a way of turning readable information into a form that looks like nonsense unless you have the right key. It is not a magic cloak, but it is the most reliable tool we have for preventing casual and systematic reading of data by anyone who should not see it. It shows up quietly in everyday life: your phone storing photos, your bank’s website, messaging apps, and the chip in your passport all rely on encryption, often without you noticing.
The important thing to grasp is not just that encryption exists, but what it is protecting, where it is protecting it, and where it cannot help. The difference between an encrypted file on a laptop and an encrypted connection to a website is more than technical detail; it shapes what can be observed and by whom.
Encryption at rest vs in transit
Encryption at rest protects data stored on a device or a server: a phone’s storage, a laptop’s disk, a cloud backup, or a database. If the device is lost, stolen, or seized, encryption at rest can stop someone from reading the data without the key. In practice this is why a modern iPhone or Android phone can be safe to carry even if it contains years of messages and photos. If it is properly locked, the storage is encrypted by default.
Encryption in transit protects data as it travels over a network. When you log in to a bank or NHS service and see a padlock in the browser, you are using TLS (Transport Layer Security), which encrypts the connection between your device and the service’s servers. This stops people on the same Wi‑Fi, your internet provider, or a network operator in between from reading or altering the contents in flight.
The two protections are complementary. Encryption in transit does not protect what happens once the data reaches the server; encryption at rest does. A useful everyday example is sending a photo by a messaging app. If the app uses end‑to‑end encryption, the photo is encrypted in transit and only readable on the sender’s and recipient’s devices. If it uses transport encryption only, the connection may be secure, but the service itself can read and store the photo in plain text once it arrives.
Understanding where encryption applies also helps you see the limits. If you back up your phone to a cloud service, the encryption at rest on your phone does not automatically protect the backup; it depends on whether the backup is encrypted with a key you control.
Keys, passphrases and entropy
Encryption depends on keys. A key is a secret value that unlocks the encrypted data. Without the key, the data should be computationally infeasible to recover. Keys can be generated and stored by software, or derived from something you remember, such as a passphrase.
A passphrase is not just a longer password. It is a phrase you can remember, with enough unpredictability to resist guessing. This unpredictability is called entropy. Entropy is a measure of how hard it is to guess the key; more entropy means more possible combinations and a longer time to crack by brute force.
People often overestimate entropy. “Correct Horse Battery Staple” is better than “P@ssw0rd1”, but only if the words are chosen randomly, not because they are memorable. A short, complex password can still have low entropy if it follows predictable patterns. A longer passphrase built from random words or a mix of words and numbers is usually stronger and easier to remember.
In practice, key handling is where most real-world failures happen. A phone that is encrypted but unlocked when seized offers no protection. A disk encrypted with a weak passphrase can be cracked. A shared key written on a sticky note defeats the point. Mitigation is mostly behavioural and procedural: use strong device passcodes, rely on password managers to generate and store long random secrets, and avoid reusing the same passphrase across services.
There is a trade‑off between convenience and security. A passphrase long enough to resist guessing might be awkward to type every time, which leads people to disable encryption or set easy unlock methods. The safer path is to use device features that balance this well: biometric unlock backed by a strong passcode, and automatic disk encryption that does not rely on manual steps.
What encryption does not hide
Encryption protects content, not everything about the communication. Even with strong encryption, some information remains visible. This is often called metadata: who you are talking to, when, for how long, and from which device or location. Your mobile network still sees which cell tower you connected to. Your email provider still sees the sender, recipient, and subject line in most cases. A website can still see your IP address and the time you visited.
In the UK, this distinction matters because different legal frameworks apply to content and to communications data. You do not need to know the details of those laws to understand the practical effect: encryption may keep the message secret, but it does not make activity invisible. If your risk is casual snooping, encryption is strong protection. If your concern is that patterns of communication could be sensitive in themselves, you need to consider additional measures such as limiting what you share, compartmentalising accounts, or using privacy‑enhancing tools that reduce metadata exposure.
Encryption also does not protect against compromise at the ends. If your laptop is infected with malware or your phone is unlocked when searched, the data can be read in plain text. This is not a flaw in encryption; it is a reminder that encryption is one layer in a wider system of security practices.
Common misunderstandings
“If it’s encrypted, it’s private.” Encryption protects confidentiality, but it does not guarantee privacy in the broader sense. A service may still collect data about usage, device identifiers, or patterns of behaviour. A practical example is a fitness app that encrypts the connection but still records your routes and uploads them to a server where they are analysed. The content is protected in transit, yet your activity is still stored and potentially shared.
“End‑to‑end encryption means the service knows nothing.” End‑to‑end encryption means the service cannot read message content, but it can still see metadata, and it can still enforce policies by other means. Many apps keep account details, contact lists, or device fingerprints. Some apps also store unencrypted backups unless you enable extra settings. The mitigation is to check which data the service retains and choose settings that keep backups encrypted with a key you control.
“My phone is encrypted, so it’s safe to hand over.” Encryption helps only when the device is locked. If a device is unlocked, or if it uses a weak passcode, the data is accessible. In the UK, you may also be required to comply with certain legal requests; regardless of legal context, the practical rule is that encryption protects a device at rest, not one in active use.
“Encryption is only for criminals.” In everyday life it protects ordinary people from fraud, identity theft, and accidental disclosure. It is used by banks, hospitals, employers, and government services precisely because unencrypted data is too easily copied or intercepted. Normal, low‑risk use is the dominant case.
“If a company says ‘encrypted’, the data is safe.” The word “encrypted” often hides important details. Is the encryption applied on your device or only on their servers? Who controls the key? Is it encrypted during backups and exports? Without answers, the promise is incomplete. A practical habit is to look for phrases like “end‑to‑end encryption” and “keys you control”, and to treat vague marketing claims with caution.
Encryption is powerful but not absolute. It reduces specific risks and leaves others untouched. The sensible approach is to know which layer you are relying on, what it protects, and what still needs attention in everyday practice.