Jan 29 2026
Security

How Can Public and Private Key Encryption Protect Private Data?

Small businesses can bolster their security strategy by enforcing stricter user authentication.
Teta Alim
by

Teta Alim is the managing editor of HealthTech. Teta previously worked as a digital journalist in Washington, D.C.

As part of daily operations, small businesses may need to collect or exchange sensitive data that should be protected. It could be a financial transaction, a mailing address or some other personally identifiable information. Whatever the case, the small business will want to ensure that data is secure

Public and private key cryptography is a powerful solution. The former (asymmetric cryptography) involves a pair of keys that can be shared openly between users to encrypt messages, while the latter (symmetric cryptography) involves a single key that must be closely protected for encryption and decryption. 

Mike Fleck, senior director of product and solutions marketing at digital security company DigiCert, says that businesses can utilize these processes regularly online. 

“Perhaps the most obvious one is the certificate for their website: Without a valid certificate, users will either not be able to connect to the business’ website, or the users will get an alarming security warning if they are able to connect,” Fleck says. “Another common one is e-signing a document. That super convenient point-and-click process we use to execute documents uses public key infrastructure behind the scenes. Although in the most common workflow, we’re trading convenience for strong identity verification.” 

Here’s what small businesses should know about public key infrastructure, how key pairs work, best practices and more.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_01 x_security_q325_animated_click_mobile_01

 

What Is Public Key Infrastructure (PKI)? 

Public key infrastructure (PKI) is the system used to create and manage public keys for encryption, which is a process used to secure online data exchange. It’s typically built into public web browsers that most people use. 

“That little lock icon means your browser verified the website’s certificate and then used key pairs to create a secure, encrypted connection. It’s a great example of PKI doing exactly what it’s meant to do — quietly establishing trust in the background,” Fleck says. 

PKI relies on two core technologies: public/private key pairs and the digital certificates linked to them. “The key pairs provide the ability to encrypt and decrypt data, while the digital certificates prove the identity of the person or system that holds the keys,” he says. 

He adds that while it may seem arcane, PKI is foundational to every digital interaction, and small businesses should understand PKI as the “quiet trust” behind online transactions, communications, documentation signing and other digital interactions. 

“As leaders, they should check that their teams have the skills and resources they need to manage PKI efficiently, without creating security or operational risks. Because when PKI breaks, it does not break silently. It often causes outages and security warnings, at best,” Fleck says. 

LEARN MORE: What’s the minimum viable cybersecurity setup for an SMB with limited cash flow?

How Public and Private Keys Work Together to Protect Data 

In public-private key pairs, the public key can be shared freely while the private key is kept secret. Data encrypted with one key can only be decrypted with the other. 

Fleck shares this classic example: Bob can encrypt data using Alice’s public key but only Alice can decrypt it using her private key. “It’s the ability for people or systems that don’t ‘know’ each other to encrypt information without sharing their secret keys that makes public-private key pairs so powerful,” he adds. 

But how can Bob be sure that he’s really dealing with Alice? That’s where digital certificates can assure trust. “A certificate links a public key to a real person, business or device and is issued by a trusted authority. In other words, the certificate answers the question, ‘Who does this public key actually belong to?’ Without certificates, you might have encryption but no reliable way to know that the person of machine on the other end is authentic,” Fleck says.

Click the banner below to discover how partners help small businesses succeed.

bt-priorities-smlbiz-animated-2024-desktop_1.gif bt-priorities-smlbiz-animated-2024-mobile_1.gif

 

Key Algorithms and Cryptographic Methods 

Fleck says business leaders should know there are prevailing methods to secure data with encryption, and that those methods will change based on security research or advances in technology, such as quantum computing. The National Security Agency also publishes its Commercial National Security Algorithms, which Fleck uses as a cheat sheet for quick algorithms and guidance on what key strengths to use. 

More broadly, there are three well-known approaches: 

RSA 

The Rivest Shamir Adleman (RSA) algorithm is likely the most well-known, and considered foundational to public key cryptography. According to Cohesity, “Today, different systems use RSA encryption, including OpenSSL, cryptlib, wolfCrypt, and other cryptographic libraries. RSA is also widely used in web browsers, email chats, VPNs and other communication channels.”  

DSS 

A Digital Signature Standard (DSS) is a recognized standard for certain algorithms used when a digital signature is required. It was developed by the U.S. National Security Agency

ECC 

Often discussed in context with RSA, Elliptic Curve Cartography (ECC) “generates security between key pairs for public key encryption by using the mathematics of elliptic curves,” according to VMware

DISCOVER: Here are four security trends to watch in 2026.

Best Practices for Key Management 

There are a lot of aspects to managing PKI well, but if Fleck says if he had to narrow it down to three recommendations, this is what he’d suggest: 

  • Protect those private keys. Keys and certificates used for code signing, proper document signing and roots of trust should be stored in specialized hardware.
  • Know where all your keys and certificates are, and understand their relevance to your business. This will help you understand which keys/certificates you need to manage vs. which you can destroy.
  • Have documented processes and procedures for managing keys and certificates. Make sure to continuously revisit and improve things based on changes to your business. 

PKI can play a crucial role in identity and access management by securing user identities and ensuring system access for authorized users. 

Risks and Limitations 

For small businesses, the most common risk is an outage of a system that is needed to conduct operations, Fleck says. This risk can usually be traced to an expired certificate, which is usually caused by a failure to renew it in time. If that’s the risk, then the limitation is ensuring that you have the ability to manage the lifecycles of keys and certificates. “Make sure your team has what they need to do that, and you’ll go a long way to eliminating the risk of outages,” he says. 

Another risk highlighted by Fortinet is unsecured digital identities, failed audits or compromised certificate authorities that can result in leaked data. To mitigate against such risk, it’s advised to have a team that is dedicated to managing PKI, rather than leaving it an unattended responsibility.

EXPLORE: Get the answers to five questions about security debt for small businesses.

FG Trade/Getty Images

More On

Related Articles

Close

New Workspace Modernization Research from CDW

See how IT leaders are tackling workspace modernization opportunities and challenges.

Click Here to Read the Report