Encryption is only as good as the key life‑cycle. I stick to AES‑256 with authenticated modes, rotate keys quarterly, and never touch anything that isn’t RFC‑standard. Anything custom or weak is a liability I don’t entertain. The rest of the job? Just keep the logs clean and the firewalls tight.