Top 30 Encryption Interview Questions & Answers 2025

Symmetric: same key for encrypt/decrypt (AES, ChaCha20), fast, good for bulk data. Asymmetric: public/private key pairs (RSA, ECC), slower, key exchange without shared secret. TLS uses both: asymmetric to exchange symmetric keys, symmetric for data. Use symmetric for data at rest, asymmetric for key exchange and digital signatures.

Hashing: one-way function, fixed output size, used for integrity verification and password storage (SHA-256, bcrypt). Encryption: reversible with key, used for confidentiality (AES). Hash collisions should be rare. For passwords: use slow hashes (bcrypt, Argon2) with salt. Never roll your own crypto; use established libraries.

TLS handshake: (1) Client Hello (supported versions, ciphers), (2) Server Hello + certificate, (3) Key exchange (asymmetric), (4) Derive session keys, (5) Encrypted communication (symmetric). Certificate validates server identity via CA chain. TLS 1.3 reduced handshake to 1-RTT. Use TLS 1.2+ only; disable older versions.

Key management: generating, storing, rotating, and destroying cryptographic keys. Importance: keys are the security foundation; compromised keys = compromised data. Best practices: use HSMs or KMS (AWS KMS, Vault), rotate keys regularly, separate keys per environment, audit key access, secure key backup, define key lifecycle policies.

Never store plaintext. Use: slow adaptive hashing (bcrypt, Argon2, scrypt), unique salt per password (automatic in bcrypt), high work factor (adjust for hardware). Don't use: MD5, SHA-1/256 alone, same salt for all. Additional: rate limit login attempts, implement account lockout, support MFA, consider passwordless options.