Cryptography for Data Security: How to Secure Your Big Data with RSA and AES

Reading time: 30 minutes

Cover image source: Source

Storing sensitive data — from customer records to scientific datasets — comes with serious responsibility. You must ensure that the data remains confidential, even in the event of a breach. That’s where cryptography step in.

For example, consider a healthcare analytics company that processes large volumes of patient records, lab results, and diagnostic images. These files often need to be stored securely in the cloud and shared across systems or departments. Using a hybrid cryptographic system, where AES efficiently encrypts the bulk data and RSA secures the encryption keys to ensures that sensitive information remains unreadable to attackers, even if storage systems are compromised.

In this post, we’ll explore how to secure large data sets using a hybrid cryptographic system that combines the strength of RSA and AES.

Why Not Just Use RSA or AES Alone?#

RSA is excellent for key exchange, but inefficient for encrypting large files.
AES is fast and efficient for encrypting data, but requires secure key sharing.

So, we combine them:

Use AES to encrypt the large data.
Use RSA to encrypt the AES key.

This is how most real-world systems (including HTTPS) works.

Step-by-Step Encryption Process#

Step 1: Generate AES Key#

AES (Advanced Encryption Standard) works with a symmetric key. We’ll generate a random 256-bit key.

Step 2: Encrypt Data with AES#

The bulk of the data is encrypted using this AES key.

Step 3: Encrypt AES Key with RSA#

Use the recipient’s RSA public key to encrypt the AES key, enabling secure key exchange.

Step 4: Save Encrypted Data + Encrypted Key#

Store both in a secure format, ready for transfer or storage.

Mathematical Recap#

AES (Symmetric Encryption)#

For data block $M$ and key $K$ , the ciphertext $C$ is:

C = \text{AES}_K(M)

Decryption:

M = \text{AES}^{-1}_K(C)

RSA (Asymmetric Key Encryption)#

Given a key pair:

Public key: $(e, n)$
Private key: $(d, n)$

To encrypt the AES key $K$ :

K_{\text{enc}} = K^e \mod n

To decrypt:

K = K_{\text{enc}}^d \mod n

Example Case#

Real-World Use Case: Securing Cloud Storage for Patient Data#

Imagine you’re working with a healthcare dataset like the Disease Symptoms and Patient Profile dataset, which contains sensitive information such as patient age, gender, medical conditions, and reported symptoms. This type of data is not only subject to strict privacy regulations (e.g., HIPAA, GDPR) but is also a prime target for misuse if exposed.

Suppose you need to store this data securely on private cloud, a shared institutional server, or a cloud-based data lake. To protect patient confidentiality even in the event of a storage breach, you can use a hybrid encryption strategy:

Use AES to encrypt the dataset efficiently before uploading. AES is ideal for encrypting large tabular files or JSON records.
Use RSA to encrypt the AES key with each authorized user’s public key, ensuring that only intended recipients can decrypt the data.
Manage access securely by distributing private RSA keys only to verified and authorized personnel.

This way, even if the encrypted file is accessed by an unauthorized party, the data remains unreadable and secure, reinforcing both technical and regulatory safeguards for handling medical records.

Enough talking, lets try the secure data transport. You will need to install pycryptodome for this.

1
pip install pycryptodome

Encrypting Data#

To protect sensitive patient records before storage or transfer, we apply hybrid encryption using the AES and RSA algorithms. In this example, we load a real-world healthcare dataset containing patient profiles and symptoms, and encrypt it in a secure, efficient way. AES is used to encrypt the actual dataset due to its speed and suitability for large files, while RSA encrypts the AES key to ensure that only authorized users can decrypt the data. The result is a JSON package containing all encrypted components, which can safely be stored or shared without exposing the original records.

1
from Crypto.Cipher import AES, PKCS1_OAEP
2
from Crypto.PublicKey import RSA
3
from Crypto.Random import get_random_bytes
4
import base64
5
import json
6
import pandas as pd
7

8
# Load patient dataset from CSV
9
df = pd.read_csv("/content/Disease_symptom_and_patient_profile_dataset.csv")
10

11
# Convert dataset to JSON string (compact)
12
data_string = df.to_json(orient='records')  # a list of patient dicts
13

14
# Save raw JSON to plaintext file (optional)
15
with open("plaintext_data.txt", "w") as f:
16
    f.write(data_string)
17

18
# Convert to bytes for encryption
19
data = data_string.encode('utf-8')
20

21
# Generate RSA key pair
22
key = RSA.generate(2048)
23
private_key = key
24
public_key = key.publickey()
25

26
# Generate AES key
27
aes_key = get_random_bytes(32)  # AES-256
28

29
# Encrypt data with AES
30
cipher_aes = AES.new(aes_key, AES.MODE_EAX)
31
ciphertext, tag = cipher_aes.encrypt_and_digest(data)
32

33
# Encrypt AES key with RSA
34
cipher_rsa = PKCS1_OAEP.new(public_key)
35
enc_aes_key = cipher_rsa.encrypt(aes_key)
36

37
# Store encrypted package
38
secure_package = {
39
    'enc_key': base64.b64encode(enc_aes_key).decode(),
40
    'nonce': base64.b64encode(cipher_aes.nonce).decode(),
41
    'tag': base64.b64encode(tag).decode(),
42
    'ciphertext': base64.b64encode(ciphertext).decode()
43
}
44

45
# Write encrypted output
46
with open("encrypted_package.json", "w") as f:
47
    json.dump(secure_package, f)
48

49
# Save private key
50
with open("private_key.pem", "wb") as f:
51
    f.write(private_key.export_key())
52

53
# Optionally save public key too
54
with open("public_key.pem", "wb") as f:
55
    f.write(public_key.export_key())
56

57
print("Patient dataset encrypted and saved.")

Decrypting Data#

To access the original patient records, an authorized user with the correct RSA private key can decrypt the AES key and subsequently decrypt the dataset. This process make sure that only individuals with the proper credentials can recover the original information. In the following code, we reverse the encryption process by loading the encrypted package, decrypting the AES key using RSA and then decrypting the patient data using AES. Finally, we verify data integrity by comparing SHA-256 hashes of the decrypted output with the original file.

1
import json
2
import base64
3
import hashlib
4
from Crypto.PublicKey import RSA
5
from Crypto.Cipher import AES, PKCS1_OAEP
6

7
# Load encrypted package
8
with open("encrypted_package.json", "r") as f:
9
    secure_package = json.load(f)
10

11
# Load private RSA key
12
with open("private_key.pem", "rb") as f:
13
    private_key = RSA.import_key(f.read())
14

15
# Step 1: Decrypt AES key
16
cipher_rsa = PKCS1_OAEP.new(private_key)
17
aes_key = cipher_rsa.decrypt(base64.b64decode(secure_package['enc_key']))
18

19
# Step 2: Decrypt the data using AES
20
cipher_aes = AES.new(aes_key, AES.MODE_EAX, nonce=base64.b64decode(secure_package['nonce']))
21
plaintext = cipher_aes.decrypt_and_verify(
22
    base64.b64decode(secure_package['ciphertext']),
23
    base64.b64decode(secure_package['tag'])
24
)
25

26
# Step 3: Write decrypted output to file
27
with open("decrypted_data.txt", "wb") as f:
28
    f.write(plaintext)
29

30
# Step 4: Define SHA-256 hash function
31
def sha256(filepath):
32
    h = hashlib.sha256()
33
    with open(filepath, "rb") as f:
34
        while chunk := f.read(8192):
35
            h.update(chunk)
36
    return h.hexdigest()
37

38
# Step 5: Compare original and decrypted hashes
39
original_hash = sha256("plaintext_data.txt")
40
decrypted_hash = sha256("decrypted_data.txt")
41

42
print("Original Hash:  ", original_hash)
43
print("Decrypted Hash: ", decrypted_hash)
44

45
if original_hash == decrypted_hash:
46
    print("Success: The decrypted file matches the original.")
47
else:
48
    print("Error: The decrypted file does not match the original.")

If the data matched, you will find result like this

1
Original Hash:   6b552ead432c7d3c2dee6cf61283a49f4cdd779da158eac7e7d74b5a83646f7f
2
Decrypted Hash:  6b552ead432c7d3c2dee6cf61283a49f4cdd779da158eac7e7d74b5a83646f7f
3
Success: The decrypted file matches the original.

We’ve built a secure and scalable encryption system suitable for protecting sensitive healthcare datasets — such as patient profiles, symptoms, and medical conditions. This hybrid approach ensures that even if the storage medium is compromised, the data remains protected through strong encryption and controlled key access.

This workflow is valuable for data-heavy domains like healthcare, finance, and research, where confidentiality and compliance are critical. Whether you’re storing data in the cloud or sharing it across organizational boundaries, hybrid encryption provides a robust, standards-based solution to safeguard sensitive information at rest and in transit.

Final Thoughts#

In this era where data breaches are increasingly common and regulations around data privacy are stricter than ever, building cryptographic safeguards into your data pipeline is no longer optional — well, it’s essential. This post demonstrated how hybrid encryption using RSA and AES can be applied to real-world healthcare datasets to enforce confidentiality, integrity, and access control.

By encrypting sensitive records before they leave your laptop and securing encryption keys with asymmetric cryptography, you reduce the risk of exposure even in untrusted environments like public cloud storage or shared infrastructure. Whether you’re handling patient profiles, financial reports, or proprietary models, this approach scales well and aligns with best practices for modern data security.

Cryptography doesn’t need to be abstract or overly academic — well, don’t worry about that — with the right tools and understanding, it’s a practical and powerful friend in keeping your data safe.