post://modern-encryption-for-developers

Modern Encryption for Developers: AES-GCM, RSA, and Key Rotation

author: Swadhin Biswas read: 1 min
EncryptionBackend
Modern Encryption for Developers: AES-GCM, RSA, and Key Rotation

Modern Encryption for Developers

Use authenticated encryption by default.

Recommended defaults

  • Data at rest: AES-256-GCM
  • Key exchange: X25519 / TLS 1.3
  • Signing: Ed25519

Envelope encryption flow

flowchart LR
  A[App] --> B[Generate DEK]
  B --> C[Encrypt payload with AES-GCM]
  C --> D[Wrap DEK with KMS key]
  D --> E[Store ciphertext + wrapped DEK]

Rotate keys regularly and audit all decryption paths.