Skip to content
All articles
July 14, 2026 11 min read

Encryption, Hashing, Tokenization, Masking: How Data Protection Actually Works

Chris Rees

Chris Rees

25+ years in IT · Pluralsight author, 4.6/5 across 2,000+ ratings

Every breach headline is ultimately a data-protection failure. Security+ Domain 3 hands you a toolkit — encryption, hashing, tokenization, masking, obfuscation, segmentation — and the exam's favorite trick is asking which tool fits which job. The trick stops working once you see that every method answers the same three questions: what state is the data in, does anyone ever need the original back, and who is allowed to see it?

Start with state: at rest, in transit, in use

Data doesn't have one attack surface — it has three, and each state has different natural defenses. This is the single most-tested mental model in objective 3.3.

The three states of data — at rest on storage, in transit across networks, and in use in memory — each with its primary protections At rest disks, databases, backups, buckets FDE, volume/file/db encryption, permissions In transit moving across any network, internal too TLS, IPSec, VPN, transport encryption In use loaded in RAM and CPU, being processed secure enclaves, access control, masking in UIs The hardest state to protect is in use — data must be readable to be processed, so controls shift to who and what can touch it.
Three states, three defense profiles. Exam questions almost always tell you the state — "on the backup tapes," "between the branch offices," "displayed to support staff" — and expect you to match the control.

Notice the asymmetry: at rest and in transit have a dominant answer (encryption), while in use is the awkward one. A database has to decrypt a record to query it; an app has to hold a card number in memory to charge it. That's exactly why the non-encryption methods below exist — most of them are ways of protecting data while it's being used.

Classify before you protect

You can't pick a proportionate control until you know what the data is worth. The exam splits this into types (what the data is) and classifications (how sensitive it is):

Data type Examples Typical obligations
Regulated PII, PHI, cardholder data Laws and standards (GDPR, HIPAA, PCI DSS) dictate controls
Intellectual property source code, designs Protect competitive value; NDAs, access control
Legal information contracts, case files Privilege and retention requirements
Financial information ledgers, payment records Integrity and audit trails matter as much as secrecy
Trade secrets formulas, algorithms Value exists only while secret — strictest handling

Classifications — public, restricted, private, confidential, critical — set the floor for handling. The practical rule the exam rewards: classification drives method. Public data needs integrity, not secrecy. Critical data justifies layered controls: encrypted at rest, tokenized in the application, masked in every UI.

The reversibility axis

Here's the frame that makes the methods stop blurring together. Ask one question: can you get the original data back, and if so, with what?

  • Encryption — reversible with the key.
  • Tokenization — reversible with the vault (the token itself is mathematically meaningless).
  • Masking — partially or fully irreversible; the real value is replaced for display.
  • Hashing — irreversible by design; you can verify, never recover.
  • Obfuscation — the umbrella term: making data hard to interpret (masking and tokenization are both forms of it, as is steganography).

Encryption: reversible, key-controlled

Encryption transforms plaintext into ciphertext with an algorithm and a key. Security+ cares less about the math than about where you apply it, because each level trades protection breadth against granularity:

  • Full-disk encryption (FDE) protects everything on a lost or stolen device — but once the machine is booted and unlocked, files are transparently readable. FDE defends against physical theft, not a logged-in attacker.
  • Partition and volume encryption scope the same idea to part of a disk or a mounted volume (including cloud block storage).
  • File-level encryption follows the file wherever it's copied — finer control, more key management.
  • Database encryption at the whole-database level protects the files; record-level encryption encrypts individual rows or columns, so a compromised report server that can read the database still can't read the card-number column.
  • Transport encryption (TLS, IPSec) covers the in-transit state.
The exam pattern: when a question says the laptop was stolen, the answer is FDE. When it says an attacker with database access read specific sensitive columns, the answer is record-level (column) encryption. Match the blast radius in the question to the granularity of the control.

Encryption's weak point is never the algorithm — it's key management. A key stored next to the ciphertext is a padlock with the key taped to it, which is why real deployments center on HSMs, key-management services, and separating key access from data access.

Hashing: one-way, integrity and verification

A hash function digests any input into a fixed-length fingerprint. Change one bit of input and the output changes completely; and there is no path backward. That makes hashing the tool when you need to verify data, not read it: password storage, file-integrity checks, evidence integrity in forensics.

For passwords, plain hashing isn't enough — identical passwords hash identically, enabling precomputed rainbow-table attacks. Salting appends a unique random value to each password before hashing, so two users with the same password produce different digests and precomputation becomes useless.

Tokenization: substitution with a vault

Tokenization replaces a sensitive value with a token — a stand-in with no mathematical relationship to the original. The mapping lives in a hardened token vault, and only the vault can translate back.

Tokenization flow: the card number goes to the token vault, a token comes back, and downstream systems only ever store and pass the token Real value 4111 1111 1111 1111 Token vault hardened, audited, isolated Token tok_8f3ka92mzq114 Order system · analytics · logs · backups · support tools …all store only the token Steal any downstream database and you get tokens — worthless without the vault. This is also how tokenization shrinks a PCI DSS compliance scope to the vault itself.
Unlike encryption, there's no key that unlocks a token — the mapping exists only in the vault. Compromising downstream systems yields nothing sensitive.

The contrast with encryption is the exam's favorite distinction: encrypted data is recoverable anywhere the key exists; a token is recoverable only where the vault is. That's why payment systems tokenize — it concentrates all the risk (and the compliance burden) into one heavily defended component.

Masking and obfuscation: protect the display

Masking replaces some or all of a value with placeholder characters — the ****-1111 on your receipt. The support agent can confirm your card without ever seeing it. Masking is the right answer when the question is about exposure to people: screenshots, receipts, call-center screens, test datasets.

Obfuscation is the broader family — any technique that makes data difficult to interpret, including masking, tokenization, and steganography (hiding data inside other data, like a watermark in an image). Obfuscation raises the cost of understanding data; it's a layer, not a substitute for encryption.

Segmentation and permission restrictions

The last two methods protect data by controlling reachability rather than transforming the data itself. Segmentation isolates data stores on their own network zones so a compromised workstation can't even route to the crown jewels. Permission restrictions are classic least-privilege access control — need-to-know enforced at the file, table, and API layer. In practice these are the always-on baseline underneath every other method: encryption without access control just moves the problem to whoever holds the key.

The toolkit on one page

Method Reversible? Best for Watch out for
Encryption Yes — with the key At rest and in transit; whole disks down to single columns Key management is the real attack surface
Hashing (+ salt) No Passwords, integrity verification Unsalted hashes fall to rainbow tables
Tokenization Only via the vault Payment data, IDs used across many systems The vault is a high-value target — harden it
Masking No (for the viewer) Displaying partial data to people; test data Protects display, not storage
Obfuscation Varies Raising attacker cost; watermarking Never sufficient alone
Segmentation n/a Making data unreachable from compromised zones Flat networks defeat it
Permission restrictions n/a Least-privilege baseline everywhere Privilege creep erodes it over time

Don't forget where the data is

Objective 3.3 pairs the methods with two location-based considerations that show up in scenarios more than you'd expect. Data sovereignty is the legal principle that data is subject to the laws of the country where it physically resides — replicate a European customer database to a US region and you haven't just moved bytes, you've changed which regulators have jurisdiction over them. Geolocation is the operational side: knowing, and controlling, where your data actually lives. Cloud providers make replication one checkbox deep, which is exactly why geographic restrictions belong in the architecture, not in a policy PDF nobody enforces. When a question mentions GDPR, cross-border replication, or "data must remain in-country," it's testing sovereignty — and the control is usually region pinning plus encryption with keys held in the home jurisdiction.

Choosing under pressure

Exam scenarios compress to three cues. State — stolen media points to encryption at rest; interception points to TLS; a person seeing too much on screen points to masking. Recoverability — if the business must read the value back, encryption or tokenization; if it only needs to verify, hashing. Scope — if the goal is shrinking where sensitive data lives at all, tokenization plus segmentation beats encrypting everything in place.

Key takeaways

  • Three states, three defense profiles: at rest (storage encryption), in transit (TLS/IPSec), in use (access control, masking, enclaves).
  • Reversibility is the sorting axis: encryption needs a key, tokenization needs the vault, hashing is one-way, masking protects the display.
  • Granularity matters: FDE for stolen hardware, record/column encryption for compromised database access.
  • Salt your hashes — identical passwords must not produce identical digests.
  • Segmentation and permissions are the floor: every transform method sits on top of least privilege, not instead of it.

Data protection is one module of four in Security+ Domain 3 — Security Architecture also covers architecture models, securing enterprise infrastructure, and resilience. Our Security+ Domain 3 study guide walks all 26 topics with worked scenarios and 60 exam-style questions, or grab the complete Security+ collection.

#SecurityPlus #SY0701 #DataProtection #Encryption #Tokenization #Hashing #DataSecurity #InfoSec #CompTIA #CyberSecurity

Share this article

Keep reading

Enjoyed this? Get the AI security news that matters.

Join The AI Security Brief — the top AI security news, plus what's important to the C-suite. Free, straight to your inbox.

No spam. Unsubscribe anytime.

Security+ Domain 3 · security architecture

Master Security Architecture

Data protection is one module of four in Security+ Domain 3. Study all 26 topics — architecture models, enterprise infrastructure, data protection, and resilience — with our objective-mapped guide.

Get the Domain 3 guide