Link encryption is a security method used on communications networks for the transmission of encrypted data between individual computers. With this method, the data is encrypted and decrypted by each piece of hardware along the path, such as network routers or other specialized devices. When the communications link is encrypted in this way, the entire data transmission is hidden as opposed to other encryption schemes where the transmission can still be intercepted. The method may also be referred to as link level encryption, or link layer encryption. This is because everything happens at the lower layer of the open systems interconnect (OSI) model, known as the data link layer.
As data packets leave the network interface, the entire packet, the clumps of data sent over network connections, is encrypted. Link encryption is unique in this way because the packet's header information, which contains information on the origin and destination addresses, is encrypted along with the actual data payload. The secure packets are then sent across the line until they encounter another device along the way, at which point the header is decrypted and checked for the address information. If the packets haven't quite made it to their destination, they're encrypted again and sent on their way.
This is handy for keeping the transmission safe against someone attempting to eavesdrop on the line or capture the packets for analysis. An attacker is unable to know who the data came from, where it's headed, and the path it took along the way. The process is also usually free of human error because it all happens automatically, saving the user from having to remember to encrypt her communications, giving ease to large, regular data transmissions that need to be secure.
There are a few shortcomings to the approach. Link encryption suffers greatly on public networks such as the Internet. Many who use the method will only use it over dedicated, leased lines, where greater control over the hardware along the path can be achieved. This also means that the keys used to encrypt and decrypt the data have to be maintained on multiple devices, making each point along the path potentially vulnerable should an attacker gain access to one of the devices along the route.
Another workaround is a method known as superencryption, which is used to encrypt the data payload at the application layer by the user, and then the remaining header information is encrypted as it goes out onto the greater network. The additional method in a superencryption is known as end-to-end encryption. The primary difference between a link encryption, then, is that the end-to-end method allows for the data to traverse an unsecured network for some duration because the keys for encryption and decryption are known at each end of the transfer. The addressing and routing information in the headers is still visible to an eavesdropper, but the primary data payload remains safe. In cases of superencryption, though, where both end-to-end and link encryption are used, the data seldom has to go any farther than a local router before it enters the encrypted link for transport.