Best practices for (symmetric) encryption in .Net?

Question

What is considered \"best practice\" for encrypting certain sensitive or personally identifiable data in a SQL database (under PCI, HIPAA, or other applicable compliance standar

Answer 1

Taken more generic list of best practices, from OWASP (Cryptographic Storage Cheat Sheet):

• Use strong approved cryptographic algorithms
  • Do not implement an existing cryptographic algorithm on your own
  • Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing
  • Do not use weak algorithms, such as MD5 or SHA1
  • Avoid hashing for password storage, instead use Argon2, PBKDF2, bcrypt or scrypt
• Use approved cryptographic modes
  • In general, you should not use AES, DES or other symmetric cipher primitives directly. NIST approved modes should be used instead. Quote from Nist: "The approved algorithms for encryption/decryption are symmetric key algorithms: AES and TDEA."
• Use strong random numbers
• Ensure that any secret key is protected from unauthorized access

---

Also, according to this Cisco article:

• DES is to be avoided and so is RSA-768, -1024
• RSA-2048 and RSA-3072 are acceptable
• AES-CBC mode is acceptable, while
• AES-GCM mode is part of the Next Generation Encription.