====== Encryption ======
When data is stored at rest on a hard drive, there are ways to encrypt it

In windows OS the tool is BitLocker and EFS (encrypting file system)

On Mac OS the tool is FileVault

Data in a database may also be encrypted by column or record 

Another place encryption is important is when transferring data across a network

In the browser, the tech is HTTPS, SSL, TLS

For encryption and decryption to work, both sides must agree on a standard/same algorithm.

Popular standards are DES (data encryption standard) and AES (advanced encryption standard) as well as the size, e.g. 128 or 256 bits to prevent brute force cracking techniques. 

As time goes on, and cracking techniques improve, sometimes we have to stretch keys, i.e., re-hash a key over and over to maintain security

Trusted Module Platform (TPM): 
  * - spec for crypto methods
  * - persistent memory - the keys are burned in 
  * - encryption for a single device


in a data center, you would need a hardware security modulate (HSM):
  * - used in large environments, clusters
  * - security stores thousands of crypto keys
  * - may have a component that's specifically designed to perform cryptographic functions 


Key Management System (KMS)
  * Manage all keys from single console 
  * Keeps keys separate from data you are trying to protect
  * all keys are managed in one console
  * logs key use and important events
  * rotate keys on regular intervals 
  * May track things like keys used for SSH access, SSL keys for servers

Secure Enclave
  * a protected area for secrets
  * isolated from main processor
  * performs AES encyption on hardware, monitors system boot process
  * root crypto keys