In general we encrypt data using AES and RSA depending on the nature of the data. In most cases we have a root asymmetric RSA key used to protect symmetric AES keys. The AES keys are used to protect sets of data e.g. site/Org keys, vault keys, etc., and those keys are used to protect tertiary application data like signing keys, tokens, passwords, session containers, etc.
So we have a graph of protected data like the following where each level protects the key below it:
- Site/Org (AES)
- Tertiary (AES)
- data, etc. (usage dependent)
Or put another way:
- AES(data, key) ->
- AES("yourdata", data-key)
- AES(data-key, tertiary-key) <- optional in some cases AES(tertiary-key, site-key) RSA(site-key, root-key)
The data key may not be present in some cases depending on usage. The root key is stored on the application server away from the database.
With that being said, each product manages encryption slightly differently because the use cases are totally different and we have to be mindful of design constraints and performance requirements, etc.
As well, key sizes are dependent on product versions, but generally we use RSA 2048-4096 and AES 128-256. We also use keyed signatures on our encrypted data in various places too.