```
===============================================================================
                      ENCRYPTION SECURITY CHEATSHEET
                               JOHLEM.net
                           IT SECURITY CHEATSHEETS
===============================================================================

--- ENCRYPTION FUNDAMENTALS ---

# Symmetric Encryption
Same key for encryption and decryption
Fast performance, suitable for bulk data
Key distribution is main challenge
AES-256, ChaCha20, Blowfish

# Asymmetric Encryption  
Public/Private key pairs
Slower than symmetric, used for key exchange
Solves key distribution problem
RSA, ECC, Ed25519

# Cryptographic Hashes
One-way functions, fixed output size
Integrity verification, digital fingerprints
SHA-256, SHA-3, BLAKE2/3

# Digital Signatures
Authenticity and non-repudiation
Sign with private key, verify with public key
RSA-PSS, ECDSA, Ed25519

--- RECOMMENDED ALGORITHMS 2025 ---

# Symmetric Encryption
AES-256-GCM         # Gold standard, authenticated encryption
ChaCha20-Poly1305   # Google's choice, mobile optimized
AES-256-XTS         # Disk encryption (BitLocker, LUKS)
AES-256-CBC         # Legacy compatibility only

# Asymmetric Encryption
Ed25519             # Modern, fast, secure (SSH, TLS)
ECDSA P-384         # NIST curve, government approved
RSA-4096            # Legacy compatibility, slower
X25519              # Key exchange (ECDH)

# Hashing
SHA-256             # Most common, secure
SHA-3               # Latest NIST standard
BLAKE2/BLAKE3       # Faster than SHA-2, secure
Avoid: MD5, SHA-1   # Cryptographically broken

# Key Derivation
Argon2id            # Password hashing winner, memory-hard
PBKDF2              # Legacy, still acceptable
scrypt              # Memory-hard function
bcrypt              # Older but acceptable

--- FULL DISK ENCRYPTION (FDE) ---

# Windows BitLocker
manage-bde -status                    # Check encryption status
manage-bde -on C: -RecoveryPassword   # Enable with recovery key
manage-bde -protectors -add C: -tpm   # Add TPM protector
manage-bde -protectors -add C: -pin   # Add PIN protector
manage-bde -unlock C: -RecoveryPassword # Unlock with recovery key

# BitLocker Best Practices
Use TPM 2.0 + PIN for authentication
AES-256-XTS encryption algorithm
Backup recovery keys to AD/Azure AD
Pre-boot authentication enabled
Secure Boot and UEFI required

# Linux LUKS
cryptsetup luksFormat /dev/sdX                # Format partition
cryptsetup luksOpen /dev/sdX encrypted_disk   # Open encrypted partition
cryptsetup luksClose encrypted_disk           # Close encrypted partition
cryptsetup luksDump /dev/sdX                  # Show LUKS header info
cryptsetup luksAddKey /dev/sdX                # Add additional passphrase
cryptsetup luksRemoveKey /dev/sdX             # Remove passphrase

# VeraCrypt (Cross-platform)
Create hidden volumes for plausible deniability
AES, Serpent, Twofish cascade encryption
Pre-boot authentication available
File container or full disk encryption

--- FILE AND FOLDER ENCRYPTION ---

# Windows EFS (Encrypting File System)
cipher /e /s:C:\folder                # Encrypt folder
cipher /d /s:C:\folder                # Decrypt folder
cipher /w:C:\                         # Wipe free space
sfc /displaydn                        # Show encrypted files

# GPG/PGP File Encryption
gpg --gen-key                         # Generate key pair
gpg --encrypt --recipient user file   # Encrypt file
gpg --decrypt file.gpg                # Decrypt file
gpg --sign file                       # Sign file
gpg --verify file.sig                 # Verify signature

# 7-Zip AES Encryption
7z a -p"password" -mhe=on archive.7z files  # Encrypt with password
7z x archive.7z                             # Extract encrypted archive

--- NETWORK ENCRYPTION ---

# TLS/SSL Configuration
TLS 1.2 minimum, TLS 1.3 preferred
Disable SSLv2, SSLv3, TLS 1.0, TLS 1.1
Perfect Forward Secrecy (PFS) required
Certificate pinning for critical apps

# VPN Protocols
WireGuard          # Modern, fast, secure
IKEv2/IPSec        # Enterprise standard
OpenVPN            # Mature, widely supported
Avoid: PPTP, L2TP  # Insecure protocols

# SSH Encryption
ssh-keygen -t ed25519 -b 4096              # Generate Ed25519 key
ssh-keygen -t rsa -b 4096                  # Generate RSA key
ssh -o Ciphers=aes256-gcm@openssh.com      # Specify cipher
Protocol 2 only, disable root login

--- DATABASE ENCRYPTION ---

# SQL Server TDE (Transparent Data Encryption)
USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'password';
CREATE CERTIFICATE TDECert WITH SUBJECT = 'TDE Certificate';
USE database; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256;
ALTER DATABASE database SET ENCRYPTION ON;

# MySQL/MariaDB
SET GLOBAL innodb_encrypt_tables = ON;     # Enable table encryption
CREATE TABLE encrypted_table (...) ENCRYPTED=YES;

# PostgreSQL
initdb --auth-host=md5 --auth-local=md5 --data-checksums
ALTER SYSTEM SET ssl = on;

--- KEY MANAGEMENT ---

# Hardware Security Modules (HSM)
FIPS 140-2 Level 3+ certification required
Dedicated crypto processors
Tamper-resistant/tamper-evident
Key generation, storage, management

# Key Management Best Practices
Separate key management from data storage
Regular key rotation (annually minimum)
Multi-person control for critical keys
Secure key backup and recovery
Hardware-based key storage preferred

# Key Rotation Schedule
SSL/TLS certificates: 1-2 years maximum
Database encryption keys: Annually
Application secrets: Quarterly
SSH keys: Annually or on personnel changes

--- MOBILE DEVICE ENCRYPTION ---

# iOS Device Management
Device passcode + biometric authentication
FileVault equivalent always enabled
Remote wipe capabilities required
App-specific encryption for sensitive data

# Android Enterprise
Work profile encryption mandatory
Device admin policies enforced
Knox or equivalent security platform
Certificate-based authentication

--- COMPLIANCE REQUIREMENTS ---

# Common Standards
FIPS 140-2         # US Government cryptographic standards
Common Criteria    # International security evaluation
PCI DSS           # Payment card industry
HIPAA             # Healthcare data protection
SOX               # Financial reporting

# Encryption Requirements by Standard
PCI DSS: AES-256 minimum for cardholder data
HIPAA: AES-256 for PHI at rest and in transit
FIPS 140-2: Approved algorithms only
SOX: Strong encryption for financial data

--- INCIDENT RESPONSE ---

# Compromise Response
Immediate key rotation if compromise suspected
Revoke compromised certificates
Re-encrypt affected data with new keys
Forensic analysis of encryption logs
Update incident response procedures

# Recovery Procedures
Test key recovery procedures regularly
Multiple recovery methods available
Offline backup of recovery materials
Clear chain of custody documentation

--- MONITORING AND AUDITING ---

# Encryption Monitoring
Certificate expiration tracking
Key usage logging and analysis
Failed decryption attempt alerts
Compliance reporting automation

# Audit Requirements
Regular encryption policy reviews
Third-party security assessments
Penetration testing of crypto implementations
Key management process audits

===============================================================================
                            QUICK REFERENCE
===============================================================================

SECURE DEFAULTS:
- AES-256-GCM for symmetric encryption
- Ed25519 for SSH and signing
- SHA-256 minimum for hashing
- TLS 1.2+ for network encryption
- TPM 2.0 + PIN for disk encryption

AVOID AT ALL COSTS:
- DES, 3DES (broken/deprecated)
- MD5, SHA-1 (cryptographically broken)
- RC4 (stream cipher vulnerabilities)
- SSLv2, SSLv3, TLS 1.0/1.1 (protocol flaws)
- Custom/homebrew crypto implementations

===============================================================================