---
title: "AP Cybersecurity 5.3: Protecting Stored Data with Cryptography"
description: "Learn how encryption protects stored files in AP Cybersecurity. Covers symmetric vs asymmetric, AES, keyspace, and OpenSSL commands for topic 5.3."
canonical: "https://fiveable.me/ap-cybersecurity/unit-5/protecting-stored-data-with-cryptography/study-guide/pVI6SOT7HBVhSMIqKTXG"
type: "study-guide"
subject: "AP Cybersecurity"
unit: "Unit 5 – Securing Applications and Data"
lastUpdated: "2026-06-18"
---

# AP Cybersecurity 5.3: Protecting Stored Data with Cryptography

## Summary

Learn how encryption protects stored files in AP Cybersecurity. Covers symmetric vs asymmetric, AES, keyspace, and OpenSSL commands for topic 5.3.

## Guide

## TLDR
[Cryptography](/ap-cybersecurity/key-terms/cryptography) protects stored data by turning readable files into scrambled output that only someone with the right key can reverse. In [AP Cybersecurity](/ap-cybersecurity "fv-autolink"), this topic covers how [encryption](/ap-cybersecurity/key-terms/encryption) and [decryption](/ap-cybersecurity/key-terms/decryption) work, the categories that classify algorithms (symmetric vs asymmetric, block vs stream), and how to run [AES encryption](/ap-cybersecurity/unit-3/protecting-networks-managerial-controls-and-wireless-security/study-guide/aihx7DE7KUuSOsZ3dgwk "fv-autolink") on a file with OpenSSL.

## Why This Matters for the AP Cybersecurity Exam

This topic connects directly to one of the core goals of defense: protecting the [confidentiality](/ap-cybersecurity/key-terms/confidentiality "fv-autolink") of data even when an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") gets physical access to a device. If you understand how encryption hides information and why key length matters, you can explain mitigations for stolen drives, lost laptops, and exposed files.

Expect to apply this thinking in two ways. First, you need to explain how encryption protects files using the right vocabulary ([plaintext](/ap-cybersecurity/key-terms/plaintext), [ciphertext](/ap-cybersecurity/key-terms/ciphertext), key, [keyspace](/ap-cybersecurity/key-terms/keyspace "fv-autolink")). Second, you need to apply [symmetric encryption](/ap-cybersecurity/key-terms/symmetric-encryption) by reading and using AES commands in a tool like OpenSSL. Being comfortable with both the concepts and the actual commands is what makes this topic test-ready.

## Key Takeaways

- Encryption hides readable [plaintext](/ap-cybersecurity/key-terms/plaintext "fv-autolink") as scrambled [ciphertext](/ap-cybersecurity/key-terms/ciphertext "fv-autolink"), and decryption reverses it using the correct key.
- Keyspace is the total number of possible keys; a larger keyspace makes [brute force attacks](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7 "fv-autolink") take far longer.
- [Symmetric encryption](/ap-cybersecurity/key-terms/symmetric-encryption "fv-autolink") uses one key for both directions; asymmetric uses two different keys.
- Block ciphers process fixed-size chunks of data; stream ciphers process data continuously, one element at a time.
- AES is the most common symmetric block cipher, encrypts in 128-bit blocks, and supports different [key lengths](/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2 "fv-autolink").
- OpenSSL can encrypt and decrypt files from the command line, deriving the key from a [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") you supply.

## How Encryption Protects Files

The whole point of [cryptography](/ap-cybersecurity/key-terms/cryptography "fv-autolink") is to hide information so that only the right people can read it. A cryptographic algorithm is the recipe that spells out exactly how to scramble and unscramble data.

Two key processes do the work:

- **Encryption** takes readable information and hides it.
- **Decryption** reverses the encryption to get the original information back.

So if you encrypt a file with your bank statements and then someone steals your hard drive, all they see is garbled output. Without the right key, they cannot decrypt it back into anything useful.

### Plaintext, Ciphertext, and Keys

Every encryption algorithm needs two ingredients: the data you want to hide and a key. The algorithm combines them to produce scrambled output.

- **Plaintext**: the original, readable information going into the algorithm
- **Ciphertext**: the scrambled output that comes out the other side
- **Key**: a secret value the algorithm uses to do the scrambling

Think of plaintext as the message "Meet me at 5pm," ciphertext as something like `8f3a9b2c1d...`, and the key as the password that makes the scrambling work. Without the key, even someone who knows exactly which algorithm you used cannot easily get the plaintext back.

### Keyspace and Why It Matters

The [keyspace](/ap-cybersecurity/key-terms/keyspace) is the total number of possible keys an encryption algorithm could use. If an attacker does not know your key, one option they have is to try every possible key until one works. This is called a [brute force attack](/ap-cybersecurity/key-terms/brute-force-attack "fv-autolink").

A bigger keyspace means more keys to try, which means more time to crack. A key that is 128 bits long has $$2^{128}$$ possible values. That is a number with 39 digits. Even with massive computing power, brute forcing a 128-bit key would take an impractically long time. That is why key length matters so much.

### Symmetric vs Asymmetric

Algorithms get sorted into two big categories based on how many keys they use.

- **Symmetric** encryption uses the *same key* to encrypt and decrypt. If you encrypt a file with the key `hunter2`, you need that same `hunter2` to decrypt it. Fast and efficient, but you have to find a safe way to share the key with anyone who needs it.
- **Asymmetric** encryption uses *two different keys*. One key encrypts, and a different key decrypts. This solves the key-sharing problem but is slower.

For protecting files on your own device, symmetric encryption is usually the go-to because it is faster and you do not need to share the key with anyone else.

### Block vs Stream

Algorithms also get classified by *how* they process data.

- **Block encryption** handles data in fixed-size chunks called blocks. Feed it a block of plaintext, and it produces a block of ciphertext.
- **Stream encryption** handles data continuously, producing output one element at a time as it flows through. Useful for situations like live audio or video where data arrives in a stream.

A quick way to keep these straight: block ciphers work like a factory stamping out boxes of fixed size, while stream ciphers work like water flowing through a pipe.

## AES: The Standard Symmetric Algorithm

When real systems encrypt files, Wi-Fi traffic, or web sessions, the algorithm doing the work is almost always [AES](/ap-cybersecurity/key-terms/aes), the Advanced Encryption Standard. It is the most common symmetric encryption algorithm in use today.

You will find AES protecting:

- Wi-Fi transmissions
- Internet browsing
- File encryption on disks
- Hardware-level encryption built into processors

As an example of these applications, full-disk encryption tools and modern processors often rely on AES under the hood, but the AP focus is on recognizing where AES is used rather than memorizing every product name.

### How AES Works at a High Level

AES is a symmetric key block cipher. Breaking down what that means:

- *Symmetric*: the same key encrypts and decrypts
- *Block cipher*: it operates on fixed-size chunks
- AES specifically uses 128-bit blocks, which is 16 bytes at a time

AES does not [lock](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc "fv-autolink") you into one key length. It can operate with keys of varying lengths. Longer keys are more secure because the keyspace is bigger, but they also take more time to encrypt and decrypt. For most everyday uses, a shorter key is plenty strong, while highly [sensitive data](/ap-cybersecurity/key-terms/sensitive-data "fv-autolink") often uses a longer key.

Computer-based encryption algorithms like AES operate on binary data, meaning they work with the raw 1s and 0s that make up your file. They do not care whether the file is a photo, a PDF, or a text document. It is all just bits to AES.

## Encrypting and Decrypting Files in Practice

You have a few options for actually running AES on a file:

- **Command line tools** like OpenSSL, where you type commands directly
- **Specialized [software](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn "fv-autolink")** like AES Crypt, an open source app with a simple interface
- **Web-based tools** that let you encrypt files in a browser

For this part of the course, you should know how to use OpenSSL on the command line.

### Encrypting a File with OpenSSL

Say you have a file called `test` that you want to encrypt. Here is the command:

```
openssl enc -aes-128-cbc -e -in test -k password -out test.enc
```

Breaking this down piece by piece:

- `openssl enc` calls the OpenSSL encryption tool
- `-aes-128-cbc` picks the algorithm: AES with a 128-bit key, using CBC mode
- `-e` says "encrypt" (as opposed to decrypt)
- `-in test` is the input file (your plaintext)
- `-k password` provides the password that the key is derived from
- `-out test.enc` is the output file (your ciphertext)

After running this, you will have a new file called `test.enc` that contains the [encrypted](/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP "fv-autolink") version. If you try to open it in a text editor, you will see scrambled junk instead of your original content.

One thing worth noticing: you do not hand OpenSSL the raw key directly. You give it a *password*, and OpenSSL derives the key from that password. The actual key the AES algorithm uses gets generated from your password behind the scenes.

### Decrypting the File

To get your original file back, run almost the same command with one change:

```
openssl enc -aes-128-cbc -d -in test.enc -k password -out text
```

The differences:

- `-d` instead of `-e` tells OpenSSL to decrypt
- `-in test.enc` is now the encrypted file
- `-out text` is where the decrypted plaintext gets written

You have to use the exact same password you used to encrypt. Since AES is symmetric, the same key (derived from the same password) handles both directions. Mistype the password and you will get either an error or a file full of garbage, because the wrong key produces wrong output.

### Other Tools for the Same Job

OpenSSL is not your only option. AES Crypt is an open source tool that can encrypt and decrypt files. There are also web-based tools where you upload a file in a browser and get back the encrypted version.

The underlying process is the same across all these tools. What changes is the interface. Behind the scenes, they are all running AES on your data.

## How to Use This on the AP Cybersecurity Exam

### Explaining Encryption

When asked to explain how encryption protects a file, use the vocabulary precisely. Name the plaintext (the original file), the key (often derived from a password), the algorithm (AES, a symmetric block cipher), and the ciphertext (the scrambled output). Tie it back to confidentiality: even if an adversary steals the device, they cannot read the data without the key.

### Code Tracing OpenSSL Commands

Be ready to read an OpenSSL command and explain what each flag does. The most important contrast is `-e` (encrypt) versus `-d` (decrypt), plus identifying the input file, output file, and password. If a question swaps the input and output files or changes the password, predict the result: wrong password means the decryption fails or produces garbage.

### Connecting the Vocabulary

Here is how the terms connect when you encrypt a real file:

1. Your file (`test`) is the plaintext.
2. Your password is turned into a key.
3. AES is the cryptographic algorithm, and it is symmetric and a block cipher.
4. The algorithm processes your file in 128-bit blocks.
5. The output (`test.enc`) is the ciphertext.
6. To decrypt, you run the same algorithm with the same key and get your plaintext back.

### Common Trap

Watch for questions that confuse keyspace with file size or that assume a longer key is always the right choice. Longer keys raise security but [cost](/ap-cybersecurity/unit-4/detecting-attacks-on-devices/study-guide/JpiXN2cti74uJERazuw3 "fv-autolink") more time. Match the key length to how sensitive the data is.

## Common Misconceptions

- **Encryption and hashing are not the same.** Encryption is reversible with the right key; this topic is about hiding data so it can be retrieved later, not about one-way functions.
- **The password is not the key itself.** With OpenSSL, the key is derived from the password you supply, so the algorithm works on a generated key rather than your typed text.
- **Symmetric does not mean weak.** Using one key for both directions is fast and secure as long as the key stays secret; the tradeoff is the challenge of sharing that key safely.
- **A bigger keyspace is about the number of possible keys, not the size of your file.** Keyspace depends on key length, which is why a 128-bit key has $$2^{128}$$ possibilities.
- **Knowing the algorithm does not break the encryption.** AES is public and well known; security comes from keeping the key secret, not from hiding which algorithm you used.

## Related AP Cybersecurity Guides

- [5.1 Application and Data Vulnerabilities and Attacks](/ap-cybersecurity/unit-5/application-and-data-vulnerabilities-and-attacks/study-guide/T25I7qaDw4w4XT1rkAYr)
- [5.2 Protecting Applications and Data: Managerial Controls and Access Controls](/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2)
- [5.4 Asymmetric Cryptography](/ap-cybersecurity/unit-5/asymmetric-cryptography/study-guide/VwtcdE1OgUXoQu0fiDG2)
- [5.5 Protecting Applications](/ap-cybersecurity/unit-5/protecting-applications/study-guide/NlU1CUWEo8RNupZqXUMH)
- [5.6 Detecting Attacks on Data and Applications](/ap-cybersecurity/unit-5/detecting-attacks-on-data-and-applications/study-guide/sHDJEWboTNQbNsGPNiq5)

## Vocabulary

- **AES Crypt**: An open-source specialized software tool that can encrypt and decrypt files using AES encryption.
- **Advanced Encryption Standard (AES)**: The most common symmetric encryption algorithm used to secure data in Wi-Fi transmissions, internet browsing, file encryption, and hardware-level encryption.
- **OpenSSL**: A command-line tool used to perform asymmetric encryption and decryption operations, as well as generate and manage cryptographic keys.
- **asymmetric encryption**: A cryptographic method that uses a pair of keys (public and private) to encrypt and decrypt data, where the public key encrypts and the private key decrypts.
- **binary data**: Data represented in the form of 0s and 1s that encryption algorithms operate on.
- **block cipher**: A symmetric encryption algorithm that encrypts data in fixed-size blocks, such as AES which operates on 128-bit blocks.
- **block encryption**: A cryptographic method that processes information in fixed-size chunks called blocks, producing one output block for each input block.
- **ciphertext**: The encrypted output produced by an encryption algorithm when plaintext is combined with a key.
- **cryptographic algorithm**: A mathematical process that defines how to encrypt and decrypt information using a key.
- **cryptography**: The practice of using algorithms and keys to hide information and protect it from unauthorized access.
- **decryption**: The process of reversing encryption to retrieve the original information from ciphertext.
- **encryption**: A security technique that converts data into an unreadable format to prevent unauthorized access if data are stolen or intercepted.
- **encryption key**: A string of bits used in a cryptographic algorithm to encrypt and decrypt data.
- **key**: A predefined value used in a cryptographic algorithm to encrypt and decrypt information.
- **keyspace**: The total number of possible keys that can be used in an encryption algorithm; a larger keyspace increases security by making brute-force attacks more difficult.
- **plaintext**: The original, unencrypted information that is input into an encryption algorithm.
- **stream encryption**: A cryptographic method that processes input information continuously, producing output one element at a time.
- **symmetric encryption**: A cryptographic method that uses the same key to both encrypt and decrypt information.

## FAQs

### What is the difference between symmetric and asymmetric encryption in AP Cybersecurity?

Symmetric encryption uses the same key to both encrypt and decrypt data, while asymmetric encryption uses two different keys-one to encrypt and a separate one to decrypt. For protecting files on a single device, symmetric encryption is typically preferred because it is faster and no key needs to be shared with another party.

### What is keyspace and why does it matter for encryption security?

Keyspace is the total number of possible keys an encryption algorithm could use. A larger keyspace means an attacker attempting a brute force attack must try far more keys, making it take much longer to find the correct one by random chance.

### How does AES encryption work in AP Cybersecurity topic 5.3?

AES (Advanced Encryption Standard) is a symmetric key block cipher that processes data in fixed 128-bit blocks (16 bytes at a time). It supports keys of varying lengths, where longer keys provide stronger security but require more time to encrypt and decrypt.

### How do you encrypt and decrypt a file using OpenSSL on the command line?

To encrypt a file named test with a 128-bit AES key, use: openssl enc -aes-128-cbc -e -in test -k password -out test.enc. To decrypt it, run the same command but replace -e with -d, swap the input and output files, and use the same password-since AES is symmetric, the same derived key handles both directions.

### What is the difference between block ciphers and stream ciphers?

Block ciphers process data in fixed-size chunks, producing an output block for each input block, while stream ciphers handle data continuously and produce output one element at a time. AES is a block cipher that works on 128-bit blocks.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-stored-data-with-cryptography/study-guide/pVI6SOT7HBVhSMIqKTXG#what-is-the-difference-between-symmetric-and-asymmetric-encryption-in-ap-cybersecurity","name":"What is the difference between symmetric and asymmetric encryption in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"Symmetric encryption uses the same key to both encrypt and decrypt data, while asymmetric encryption uses two different keys-one to encrypt and a separate one to decrypt. For protecting files on a single device, symmetric encryption is typically preferred because it is faster and no key needs to be shared with another party."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-stored-data-with-cryptography/study-guide/pVI6SOT7HBVhSMIqKTXG#what-is-keyspace-and-why-does-it-matter-for-encryption-security","name":"What is keyspace and why does it matter for encryption security?","acceptedAnswer":{"@type":"Answer","text":"Keyspace is the total number of possible keys an encryption algorithm could use. A larger keyspace means an attacker attempting a brute force attack must try far more keys, making it take much longer to find the correct one by random chance."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-stored-data-with-cryptography/study-guide/pVI6SOT7HBVhSMIqKTXG#how-does-aes-encryption-work-in-ap-cybersecurity-topic-53","name":"How does AES encryption work in AP Cybersecurity topic 5.3?","acceptedAnswer":{"@type":"Answer","text":"AES (Advanced Encryption Standard) is a symmetric key block cipher that processes data in fixed 128-bit blocks (16 bytes at a time). It supports keys of varying lengths, where longer keys provide stronger security but require more time to encrypt and decrypt."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-stored-data-with-cryptography/study-guide/pVI6SOT7HBVhSMIqKTXG#how-do-you-encrypt-and-decrypt-a-file-using-openssl-on-the-command-line","name":"How do you encrypt and decrypt a file using OpenSSL on the command line?","acceptedAnswer":{"@type":"Answer","text":"To encrypt a file named test with a 128-bit AES key, use: openssl enc -aes-128-cbc -e -in test -k password -out test.enc. To decrypt it, run the same command but replace -e with -d, swap the input and output files, and use the same password-since AES is symmetric, the same derived key handles both directions."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-stored-data-with-cryptography/study-guide/pVI6SOT7HBVhSMIqKTXG#what-is-the-difference-between-block-ciphers-and-stream-ciphers","name":"What is the difference between block ciphers and stream ciphers?","acceptedAnswer":{"@type":"Answer","text":"Block ciphers process data in fixed-size chunks, producing an output block for each input block, while stream ciphers handle data continuously and produce output one element at a time. AES is a block cipher that works on 128-bit blocks."}}]}
```
