Skip to content
NeoGuard

Encryption

The process of converting data into an unreadable format that can only be decoded with the correct key, protecting it from unauthorized access.

Encryption transforms readable data (plaintext) into an unreadable format (ciphertext) using a mathematical algorithm and a key. Only someone with the correct decryption key can reverse the process. It is the foundation of almost every security tool you use.

Encryption in Practice

  • In transit: A VPN encrypts your internet traffic. TLS/SSL encrypts your connection to websites (the padlock in your browser).
  • At rest: Full-disk encryption (FileVault, BitLocker) protects data on your device if it’s lost or stolen.
  • End-to-end (E2E): Only the sender and recipient can read the data. The service provider cannot. Used by password managers, Signal, Threema, and Proton Mail.

Why It Matters for Swiss Businesses

The nDSG requires “appropriate technical measures” to protect personal data. Encryption is explicitly mentioned in the accompanying ordinance as a recommended measure. In practice:

  • Customer data stored in databases should be encrypted at rest
  • Remote access to company systems should use an encrypted VPN connection
  • Email containing personal data should use TLS at minimum, E2E for sensitive content
  • Backups should be encrypted to prevent data exposure if backup media is compromised

Common Encryption Standards

  • AES-256: The standard for data at rest. Used by most password managers and full-disk encryption tools.
  • WireGuard / IPSec: Protocols used by modern VPNs to encrypt traffic in transit.
  • TLS 1.3: The current standard for encrypting web traffic.
  • RSA / ECC: Asymmetric encryption used for key exchange and digital signatures.

Encryption Alone Is Not Enough

Encryption protects data from unauthorized reading, but it does not prevent phishing (where you voluntarily hand over credentials), ransomware (which encrypts your data against you), or zero-day exploits that target the application layer. A complete security stack combines encryption with access controls (2FA), endpoint protection, and network security (firewalls).

Related Terms

VPN (Virtual Private Network)Password ManagernDSG (Swiss Data Protection Act)