Encryption

Definition

Encryption is a cryptographic process in which plaintext is transformed into ciphertext using an algorithm and a key, making it unreadable without the corresponding decryption key. There are two fundamental types: symmetric encryption, where the same key is used for both encryption and decryption (e.g., AES-256), and asymmetric encryption, where a key pair consisting of a public and a private key is used (e.g., RSA, ECC).

In the context of data protection, encryption is cited in Article 32 of the General Data Protection Regulation (GDPR) as one of the most important technical measures for protecting personal data. A distinction is made between encryption in transit (e.g., via TLS), encryption at rest (e.g., AES-256 on the storage medium), and end-to-end encryption, where data remains encrypted continuously from the sender to the recipient.

Simply Explained

Imagine you write a secret message on a piece of paper. You then translate each letter into a code that only you and the recipient know. Even if someone finds the paper, they see only incomprehensible characters. Only the recipient, who knows the code, can translate the message back and read it.

Digital encryption works on the same principle, only it is mathematically far more complex. Modern encryption algorithms like AES-256 use keys that are 256 bits long. To crack such a key by trial and error, even the most powerful supercomputer in the world would need longer than the universe has existed. Your data is locked as securely as a vault to which only you have the key.

Why Does It Matter?

Encryption is the fundamental technology that makes digital communication and data storage secure:

• Data Protection Obligation: The GDPR cites encryption in Article 32 as an essential technical and organizational measure. Companies that transmit or store personal data without encryption risk fines.
• Protection Against Data Leaks: Even if an attacker gains access to encrypted data, they cannot read the content. In the event of a data breach involving encrypted data, notification of affected individuals may not be required (Article 34(3)(a) GDPR).
• Transport Protection: Without encryption, data can be intercepted and read during transmission (man-in-the-middle attack). TLS encryption prevents this.
• Storage Protection: Encryption at rest protects data even when physical storage devices are stolen or servers are accessed without authorization.
• Regulatory Requirements: In many industries (healthcare, financial services, legal services), encryption is legally required or demanded by industry standards.

Practical Example

An architecture firm collaborates with international partners and regularly exchanges building plans, contracts, and project reports. The documents contain personal data of property owners, land information, and confidential cost calculations.

Until now, files were sent as email attachments. An analysis reveals two vulnerabilities: while emails are transmitted via a TLS-encrypted connection to the email server, they are stored unencrypted on the email provider's server. Furthermore, there is no guarantee that the recipient's email server also supports TLS.

The firm switches to a secure upload platform: partners upload their documents through password-protected upload links. Transmission occurs over TLS 1.3, and files are stored on the server with AES-256 encryption. Even in the event of a server breach, the data would be worthless to attackers. When sharing files via share links, additional password protection and download limits can be activated.

How SendMeSafe Implements This

SendMeSafe implements a multi-layered encryption concept that protects your data at every stage:

• Encryption in Transit: All file transfers are conducted exclusively over TLS 1.3 encrypted connections. Pre-signed URLs ensure that uploads go directly and securely to the storage location.
• Encryption at Rest: All files stored on the server are encrypted with AES-256. This applies to files received via upload links as well as files shared via share links.
• Password Protection: Upload links and share links can be protected with individual passwords, adding an additional layer of security.
• Temporary Access Tokens: Pre-signed URLs for direct file access are valid for a limited time and cannot be used after expiration.
• Secure Key Management: Encryption keys are stored separately from the encrypted data and rotated regularly.
• HTTPS Enforcement: The entire platform is accessible exclusively via HTTPS. Unencrypted HTTP connections are automatically redirected.

Frequently Asked Questions

What is the difference between AES-128 and AES-256?

Both are symmetric encryption algorithms of the Advanced Encryption Standard. The difference lies in the key length: AES-128 uses 128-bit keys, while AES-256 uses 256-bit keys. AES-256 provides an exponentially higher level of security and is considered practically unbreakable. SendMeSafe exclusively uses AES-256, the same standard that governments and militaries use to encrypt classified information.

Is transport encryption (TLS) alone sufficient?

TLS protects data only during transmission between two points. On the server itself, data remains in plain text without additional measures. For comprehensive protection, TLS should always be combined with encryption at rest. With end-to-end encryption, it is additionally ensured that even the server operator cannot read the data in plain text.

Can encryption be broken?

Theoretically yes, practically no, at least not with current technology. AES-256 has 2^256 possible key combinations. Even with all the computers in the world, trying all keys would take trillions of years. The greater danger comes not from the encryption itself but from improper key handling or vulnerabilities in the implementation.

Does encryption slow down file transfers?

Modern processors feature hardware acceleration for AES encryption (AES-NI). As a result, the speed difference between encrypted and unencrypted transfer is barely measurable in practice. At SendMeSafe, encryption occurs transparently in the background with no perceptible impact on upload or download speeds.