Encryption Policies for Companies
What a practical encryption policy should contain, from algorithms and key management to ownership and auditing responsibilities.
Why you need a written encryption policy
Encryption is not just a library call; it is an organisational decision. Without a policy, teams:
- Pick random algorithms and modes.
- Handle keys ad hoc in code and config.
- Log secrets accidentally.
Regulators and auditors (ISO 27001, SOC 2, GDPR, HIPAA, PCI) expect a documented view of:
- Where encryption is used.
- Which algorithms and key lengths are allowed.
- Who owns key management and reviews.
The policy does not need marketing language. It should be a technical and operational contract between engineering, security, and the business.
Core elements of an encryption policy
A minimal, useful encryption policy covers:
- Scope:
- Which systems and data types are in scope (production, backups, endpoints, SaaS tools).
- Algorithms and parameters:
- Approved ciphers (for example, AES-256-GCM).
- Key derivation functions (for example, PBKDF2 with 310k iterations for password-based keys).
- Protocols (TLS versions, cipher suites).
- Key management:
- How keys are generated, stored, rotated, and revoked.
- Who is allowed to access or operate key-management systems.
- Data classification:
- Which classes of data must be encrypted in transit and at rest.
- Any exceptions and how they’re justified.
The result should be something engineers can implement directly and auditors can map to standards like ISO 27001.
Choosing algorithms and implementations
Your policy should be explicit about what is allowed:
- Symmetric encryption:
- Use AES-256 in an authenticated mode; AES-256-GCM is a standard choice.
- Key derivation:
- For password-based keys, use PBKDF2 with a high iteration count (for example, 310k iterations, as we use in Inkrypt).
- For machine-generated keys, use secure RNGs and avoid reusing keys across unrelated contexts.
- Implementation guidance:
- Prefer platform primitives like the Web Crypto API in browsers over custom crypto.
- Ban home-grown algorithms and unreviewed libraries.
In Inkrypt, we follow exactly this pattern:
- PBKDF2 (310k iterations) in the browser.
- AES-256-GCM via the Web Crypto API.
- Zero-knowledge: keys and passwords never leave the client.
For more detail on that approach:
- See “Zero-knowledge encryption: what it actually means when we can't see your data”.
- See “Why we encrypt in the browser (and what happens to your password)”.
Key management and ownership
The hardest part of encryption is not the cipher; it is key management. Your policy should specify:
- Key storage:
- Hardware security modules (HSMs), cloud KMS, or other vaults.
- Strict separation between where ciphertext and keys live.
- Access control:
- Who can request decryption operations.
- How access is granted, reviewed, and revoked.
- Rotation and expiry:
- How often keys are rotated.
- How old keys are archived or destroyed.
For systems that use client-side, zero-knowledge encryption (like Inkrypt):
- The company never sees customer decryption keys.
- Users are fully responsible for remembering passwords.
- Your policy can explicitly state that no administrative override exists for those systems.
That split—central key management for some systems, zero-knowledge for others—should be intentional and documented.
Integrating tools like Inkrypt into your policy
If you adopt Inkrypt as a secure note layer:
- Document that:
- Notes are encrypted client-side using AES-256-GCM via the Web Crypto API.
- Keys are derived from passwords with PBKDF2 at 310k iterations.
- The service stores only ciphertext, salt, IV, and metadata—not passwords or keys.
- Specify:
- Which data classifications are allowed in Inkrypt.
- How links and passwords should be shared (for example, out-of-band channels).
- How expiry and view limits should be configured for different use cases.
And link your policy to your operational runbooks so that engineers know when to choose a zero-knowledge tool like Inkrypt versus internal, account-based storage.
FAQ: Encryption policies for companies
Q1. Do small companies really need an encryption policy?
Yes. It can be short, but you still need to define which data must be encrypted, which algorithms are allowed, and who owns decisions. It’s a requirement for most security certifications and a practical guide for engineers.
Q2. Should our policy specify exact algorithms like AES-256-GCM and PBKDF2?
Yes. Being explicit avoids accidental use of weak or deprecated options. You can also define a process for updating the list as standards evolve.
Q3. How do we document zero-knowledge tools like Inkrypt?
Describe that encryption happens client-side, keys never leave the client, and the provider stores only ciphertext and parameters. Clarify responsibilities: users must protect passwords because the provider cannot recover them.
Q4. Who should own the encryption policy?
Typically the security team or CISO, in collaboration with engineering and operations. Ownership includes maintaining the policy and verifying that systems conform to it.
Q5. How detailed should the policy be for developers?
Detailed enough that developers can implement systems without guessing: clear algorithm lists, key management expectations, and when to use tools like KMS, HSMs, or zero-knowledge services such as Inkrypt.
Where to go next
To see how a real zero-knowledge, client-side encrypted system is designed:
- Read “Zero-knowledge encryption: what it actually means when we can't see your data”.
- Read “Why we encrypt in the browser (and what happens to your password)”.
If you want a concrete example of a tool to reference in your encryption policy, start using Inkrypt at https://www.inkrypt.online for encrypted, policy-aligned note taking and secret sharing.