VPN encryption is one of the most important security features we always recommend paying attention to when comparing and buying a VPN.
Space permitting, we usually give a brief overview of VPN encryption in our reviews. We also point out the best VPNs all use the highest possible encryption standard.
However, if you find yourself wishing you knew more, then this beginner’s guide is the answer you’ve been waiting for!
You don’t need to read them before tackling this guide, but don’t forget to check them out if you want to learn even more.
What is VPN Encryption?
Let’s start with the big question.
VPN encryption is plainly an encryption method used by a VPN provider, but the same kind of encryption can be found elsewhere.
For example, we often use the terms “military-grade” or “bank-grade” encryption to describe the highest encryption standards, because the same encryption is used by those institutions.
“Okay,” we hear you ask, “but what is encryption?”
Encryption is, very simply, a method of changing the way information looks so anyone who isn’t authorized to read it won’t be able to.
It does this by generating an encryption key, which only the user and the end destination have copies of.
Why Does a VPN Need Encryption?
Without encryption, the purpose of a VPN is gone.
This is because VPN encryption is one of the primary security features that, together with transmission control protocols and VPN protocols, determines how your data is sent over the internet.
Without the encryption in place, your ISP, the government, hackers, and other third-party trackers are able to read the data being sent – potentially including your passwords and bank account details.
As long as the VPN tunnel (or connection) is encrypted, none of that can happen unless those internet spies hack the encryption key. This is exactly why you want to have the best encryption standards, which cannot be hacked.
How Does VPN Encryption Work?
“AES” stands for “Advanced Encryption Standard.”
256-bit AES is the most secure encryption standard available for public use and has been adopted by the government as the federal standard.
This is because 256-bit AES simply cannot be hacked. It would take billions of years to decipher the encryption keys used.
AES uses the symmetric-key encryption method, which means the same encryption key is used for encrypting and decrypting your data.
The VPN protocol being used determines exactly how the encryption keys are exchanged between your device and the website server you’re connecting to when online.
When your data enters the VPN tunnel, AES encrypts it for you and sends the encryption keys at the same time. Because it’s a block cipher, 256-bit AES sends a total of 256 keys at the same time, all of which need to be used to decrypt the data.
Think of it this way: 256-bit AES breaks up your plaintext data into 256 “chunks” or “blocks” that get sent down the VPN tunnel. Each one of those data blocks carries its own key – which is exactly why it’s impossible to crack.
Is 256-bit AES Really That Safe?
There’s a reason it’s the federal standard!
As mentioned earlier, it’s estimated it would take billions of years to hack 256-bit AES. And that’s using the fastest computer with the most advanced brute force software.
You’re probably wondering more about whether it’s really that much better than 128-bit AES, though, right?
This is somewhat up for debate.
The NSA switched from 128-bit to 256-bit AES as its the recommended encryption standard for their own documents, but some security experts don’t think it’s all that much more secure than its predecessor.
A lot of people are always wary of the NSA (for good reason) and think the only way the agency would ever approve of or recommend an encryption standard is if they already figured out a backdoor for hacking the algorithm.
At the end of the day, the debate doesn’t really have any conclusive answer. We simply don’t know whether 256-bit AES is all that much stronger than 128-bit AES.
However, we will continue recommending 256-bit AES as the best current encryption standard and suggest you stick to it.
Regardless of native strength, the fact remains undisputed it would take twice as long to hack 256-bit AES than it would to hack 128-bit.
So if 128-bit AES is the highest encryption standard a VPN offers, you’ll want to avoid that VPN.
If It Takes That Long to Hack 256-bit AES, How Would the NSA Have a Backdoor?
The key principle behind the length of time it takes to hack an encryption standard is the way it’s been implemented by the service provider.
After all, if it hasn’t been properly implemented, then it’s not working as 256-bit AES. Depending on how badly it was implemented, it could be operating as 192-bit or 128-bit AES.
Worst-case scenario, it might not even be working that well!
So if the VPN encryption isn’t properly implemented, the NSA (or anyone else with the necessary know-how) would be able to bypass the encryption method.
In a 2012 blog post, public-interest technologists and Electronic Frontier Foundation (EFF) board member Bruce Schneier explained this is the reason he doesn’t believe the NSA has a backdoor.
Instead, he believes it’s more likely they target the key generation systems and take advantage of those that aren’t any good at generating random numbers (thus creating a pattern that can be exploited) and/or have bad passwords.
This is why we try to dig into the background of a VPN provider.
If the people who built and manage the VPN don’t have the necessary expertise to properly implement 256-bit AES, then they have no business offering a VPN service in the first place.
And if the parent company is known to engage in dodgy practices, then we advise you to stay away too.
(Shameless plug: this is why we do our VPN reviews in the first place. We don’t trust most VPN review sites to do their homework, as most of them are being paid by the VPN providers for their reviews.)
One Last Thing…
Just because 256-bit AES is the most advanced, secure VPN encryption currently available right now, doesn’t mean it always will be.
We might see something like a 1024-bit AES in the future.
More importantly, quantum computing is changing the world of technology. Because they use something called quantum bits (or qubits), they can handle far more information at once.
The technology isn’t currently available, but tech giants like IBM and Google are working hard at making it a reality.
When that happens – though it probably won’t for the next several decades, if not longer – then 256-bit AES will become functionally obsolete.
For now, though, 256-bit AES VPN encryption is the best we’ve got. And you should never settle for less than the best when your online privacy is at stake.