Security
Encryption
Transforming data with a key so only key-holders can read it — symmetric (AES) for bulk data, asymmetric (RSA/ECC) for key exchange and signatures. Protect data both in transit (TLS) and at rest (disk or field encryption). The hard part is not the algorithm but key management: rotation, storage, and never rolling your own crypto.
Purpose
Encryption transforms data so only holders of the right key can read it: symmetric ciphers (AES) protect bulk data with one shared key; asymmetric cryptography (RSA, elliptic curves) enables key exchange and digital signatures between parties who share nothing. Together they underpin TLS, disk encryption and signed tokens.
When to Use It
Data in transit (TLS on every connection), data at rest (encrypted disks and databases, field-level encryption for the most sensitive columns), and integrity/authenticity (signatures on tokens, packages, commits).
Trade-offs
The algorithms are the solved part; key management is where systems fail — where keys live, who can use them, how they rotate, what happens on compromise. Rolling your own crypto, or misusing good primitives (static IVs, ECB mode), fails silently until it fails completely.
Implementation
Use high-level, misuse-resistant libraries (libsodium; AES-GCM via your platform's vetted APIs) rather than assembling primitives. Keep keys in a KMS or vault with rotation and audit, encrypt secrets before they touch disk, and lean on the platform: managed TLS, encrypted-by-default storage, envelope encryption for large data.