Cryptography in Corporate Networks: What Every CTO Must Know
July 14, 2025 · 10 min read · System Networks
Corporate cryptography is not just "HTTPS is on." It is PKI, certificate lifecycle management, key vaults, backup encryption, and compliance with Russian GOST standards for CII objects. Here is what matters in practice.
What Must Be Encrypted: Minimum Standard
Web traffic and APIs
TLS 1.2 minimum, TLS 1.3 recommended. Disable SSL 3.0, TLS 1.0/1.1.
VPN tunnels
AES-256-GCM or ChaCha20-Poly1305. GOST required for CII subjects.
Server hard drives
LUKS (Linux), BitLocker (Windows), hardware SED encryption.
Backups
AES-256 before writing. Keys stored separately from data.
Databases
TDE (Transparent Data Encryption) or application-level encryption.
When GOST Encryption Is Mandatory in Russia
⚠️ GOST-Certified CIPF Required For:
- →CII subjects (187-FZ)
- →State Information Systems (GIS)
- →Classified information processing
- →FSB/FTS specific requirements
AES/RSA sufficient for:
- →Commercial companies without CII
- →152-FZ personal data (below UZ-1)
- →International operations
- →Backup encryption
Cryptographic protection and CII compliance
CIPF implementation and cryptographic protection for CII →GOST 34.12-2018 · КриптоПро · ViPNet · FSB certification · PKI