# Application-Level Encryption, Tokenization, Masking, and Key Management > **Intro:** Not every sensitive field needs the same treatment. Teams need a decision framework that separates confidentiality, operational usability, and deletion cost. > > **What this page includes** > > * when to use encryption, tokenization, hashing, or masking > * how key management changes the security story > * what engineers usually underestimate > * how to explain the trade-offs in design review ## Choose the control by use case | Need | Better fit | | -------------------------------------------------- | ------------------------ | | recover the original value later | encryption | | compare or verify without recovery | hashing or keyed hashing | | keep workflows working while hiding the real value | tokenization or masking | | show partial value to operators | masking | ## Application-level encryption Use it when storage-layer encryption is not enough because too many internal systems or operators can still read the raw field. Application-layer encryption narrows who can decrypt, but increases key-management and operational complexity. ## Tokenization Good when downstream systems only need a stable reference and should not see the original value. It also simplifies data minimization in logs, analytics, and support tooling. ## Masking Useful for UI and support workflows, but it is not a substitute for proper data-at-rest or data-in-transit protection. ## Key-management rules * separate key ownership from application ownership where practical; * rotate keys on a schedule and when compromise is suspected; * document re-encryption and rollback paths; * minimize who can both access encrypted data and administer the keys. ## Common mistakes * encrypting fields while leaving raw copies in logs and exports; * using reversible protection when one-way protection would do; * no tested key-rotation plan; * assuming cloud-provider storage encryption alone solves all insider or support-plane access questions. ## Related pages * [Secret Management on HashiCorp Vault](/cloud-kubernetes-and-infrastructure-security/index/vault-secret-management-on-hashicorp-vault.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/architecture-api-crypto-and-identity/index-3/application-level-encryption-tokenization-masking-and-key-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.