What Is Encryption?
Encryption is the process of transforming readable data (plaintext) into an unreadable scrambled format (ciphertext) using a mathematical algorithm and a key. Only someone with the correct decryption key can reverse the process and read the original data. Encryption is the foundation of secure communication, data storage, and authentication across the internet - It underpins HTTPS/TLS, VPNs, and end-to-end messaging.
Symmetric vs Asymmetric Encryption
| Property | Symmetric | Asymmetric |
|---|---|---|
| Keys used | One shared key for both encrypt and decrypt | Key pair: public key encrypts, private key decrypts |
| Speed | Very fast - Suitable for bulk data | Slow - Typically 100-1000x slower |
| Key distribution problem | Yes - How do you securely share the key? | No - Public key can be shared openly |
| Common algorithms | AES-256, ChaCha20, 3DES | RSA-2048/4096, ECC (P-256, X25519), ElGamal |
| Typical use | Encrypting files, VPN data tunnels, disk encryption | TLS handshake, email signing, SSH authentication |
Common Encryption Algorithms and Their Strength
| Algorithm | Key Size | Status | Use Case |
|---|---|---|---|
| AES-256 | 256 bits | Secure - Recommended | File encryption, VPNs, TLS data |
| AES-128 | 128 bits | Secure - Widely used | TLS, disk encryption (FileVault, BitLocker) |
| ChaCha20-Poly1305 | 256 bits | Secure - Recommended for mobile | TLS 1.3, WireGuard VPN |
| RSA-2048 | 2048 bits | Acceptable (4096 preferred) | TLS certificates, SSH, PGP |
| RSA-1024 | 1024 bits | Insecure - Deprecated | Legacy only; do not use |
| DES / 3DES | 56 / 112 bits | Insecure - Deprecated | Legacy systems only |
| MD5 / SHA-1 | Hash functions | Broken for signatures | Do not use for integrity or signatures |
Encryption at Rest vs In Transit
- Encryption in transit protects data as it travels over the network - HTTPS/TLS is the standard for web traffic. Verify any site's certificate with our SSL checker.
- Encryption at rest protects data stored on disk - BitLocker (Windows), FileVault (macOS), and LUKS (Linux) are common tools.
- End-to-end encryption (E2EE) means only the communicating parties can decrypt the data - Not even the service provider. Signal, ProtonMail, and WhatsApp (with caveats) offer E2EE.
- Encrypting data in transit but not at rest is a common gap - If a server is breached, unencrypted stored data is exposed. Combine with a firewall and VPN for layered protection.
How TLS Combines Both Kinds of Encryption
Real systems rarely choose between symmetric and asymmetric - They chain them. In an HTTPS connection, asymmetric cryptography runs exactly once, during the TLS handshake: a Diffie-Hellman key exchange lets both sides derive a shared secret over a public channel, and the server's certificate signature proves who you derived it with. Everything after - The actual pages, uploads, and downloads - Is encrypted with fast symmetric ciphers (AES-GCM or ChaCha20-Poly1305) using that freshly agreed key. The same hybrid pattern appears in VPN protocols, encrypted messaging, and PGP email: slow public-key maths to establish trust, fast symmetric ciphers to move data.
Encryption vs Hashing vs Encoding
Three terms that get mixed up constantly - Only one of them is encryption:
| Technique | Reversible? | Needs a Key? | Purpose | Examples |
|---|---|---|---|---|
| Encryption | Yes - With the key | Yes | Confidentiality | AES, ChaCha20, RSA |
| Hashing | No - One-way by design | No | Integrity checks, password storage | SHA-256, bcrypt, Argon2 |
| Encoding | Yes - By anyone | No | Data representation only | Base64, URL encoding, UTF-8 |
The distinction has teeth: a site that can email you your old password stored it encrypted (or worse, plain) instead of hashed - A genuine red flag. And Base64 "scrambling" offers zero secrecy, despite appearances. How services handle your credentials is worth checking via the breach check tool when a provider you use is hacked.
Turning On the Encryption You Already Own
| Step | Action |
|---|---|
| 1 | Windows: Settings → Privacy & security → Device encryption (or search "BitLocker" on Pro editions) → turn On |
| 2 | macOS: System Settings → Privacy & Security → FileVault → Turn On - Store the recovery key somewhere that is not the same disk |
| 3 | iPhone/Android: Already encrypted by default whenever a passcode/screen lock is set - So set one |
| 4 | In transit: Prefer HTTPS everywhere (check any site with the SSL checker) and add encrypted DNS or a VPN on untrusted networks |
| 5 | Messaging: Use apps with end-to-end encryption enabled by default - See the E2EE FAQ for what that guarantee actually covers |
What This Means for You
Encryption stopped being an expert feature years ago - Today it is a set of switches, most of them already on. Your realistic job is closing the gaps the defaults leave: full-disk encryption on laptops (the difference between a lost laptop being an annoyance or a breach), E2EE messaging for conversations that matter, and encrypted transport on networks you don't control. The one genuinely new habit encryption demands is key custody - A disk's recovery key or a password manager's master passphrase is now the single object standing between you and your own data, so store it deliberately, never alongside the thing it unlocks.
Frequently Asked Questions
Can encrypted data be cracked?
Not by brute force at modern key sizes - Trying every AES-256 key is physically infeasible regardless of computing budget. Real-world breaks happen around the edges instead: weak passwords protecting the keys, implementation bugs, stolen endpoints, or deprecated algorithms. Attackers steal keys; they don't out-calculate the cipher.
What is the strongest encryption available today?
For practical purposes, AES-256 and ChaCha20-Poly1305 for data, paired with elliptic-curve key exchange (X25519) - The combination TLS 1.3, WireGuard, and Signal all use. "Strongest" matters less than "correctly implemented": a flawless cipher in a flawed product still fails.
Will quantum computers break encryption?
A large fault-tolerant quantum computer would break today's asymmetric algorithms (RSA, ECC) via Shor's algorithm, while symmetric ciphers like AES-256 remain comfortably safe. Migration is already underway: NIST published post-quantum standards (ML-KEM, FIPS 203) in 2024, and major browsers and VPNs have begun deploying hybrid post-quantum key exchange.