two hands are in the frame; one is holding a cell phone with VPN written on its screen. The other hand emits an encryption cloud over the cell phone.

VPN (Virtual Private Network) encryption is extreme math nerd stuff VPN protocols use to encrypt your data. And by “encrypt,” I mean turn it into gibberish nobody who intercepts the data can read. Of course, the explanation is more technical than that, but I wrote this article to be as simple as possible, so read on. 

Table of contents

    Encryption simplified

    Encryption is the science of turning normal text into a ciphertext nobody can read. It dates back to ancient times (Julius Caesar knew something about it) and sometimes appears as breakfast cereal toys

    You’ll need an encryption key if you want to encrypt or decrypt something. It’s a piece of info explaining the encryption.

    For example, a simple ROT13 cipher replaces a letter with one that’s 13 letters behind it in the alphabet. If you know that a page full of gibberish you’re holding is a ciphertext encrypted with a ROT13 cipher, you can decrypt it by doing the necessary letter shifting. In this case, the encryption key would be “shift the letter 13 spaces in the alphabet.”

    Of course, we have computers these days, and computers are very good at brute-forcing ciphertext, cracking ROT13 easier than effortlessly. That’s why leading encryption protocols use AES-256 algorithms (more on them later!).

    What types of encryption exist?

    The sorting of encryption depends on encryption keys, and only two exist — the symmetric and asymmetric keys. 

    Symmetric key encryption

    Symmetric encryption is easy to explain. If Person A and Person B communicate via symmetric encryption, they use the same encryption key. ROT13 is an example of symmetric key encryption.

    The approach is simple, and while the key can be as complex as you want, the complexity doesn’t matter. The important thing is that both parties have the same key. But therein lies the problem: how does Person A safely transfer the key to Person B?

    It’s fairly easy for, say, old-timey intelligence agencies:

    1. Put the keys on a cipher pad;
    2. Chuck it into a suitcase;
    3. Lock it;
    4. Attach the suitcase to the wrist of a serious man via handcuffs;
    5. Put him on the next plane to Berlin. 

    But what if you’re a VPN user who needs to make an encrypted connection to a VPN server? Here, asymmetric encryption can help.

    Asymmetric encryption 

    Asymmetric encryption, or public key encryption, uses two sets of keys — public and private. The sender encrypts the data, and the recipient decrypts it. Asymmetric encryption uses a public-private key pairing, which means the data encrypted with a public key can only be decrypted with a paired private key.

    When you want to send an encrypted message, you can pull the recipient’s public key from a public directory and use it to encrypt the message before sending it. The recipient will only be able to decrypt the message using their related private key. Good job, double-oh-seven!

    These days, encryption protocols use both methods: they establish communication via asymmetric encryption and then use it to exchange keys used in symmetric encryption safely. This is what happens when AES-256 does its magic — let’s talk about it now. 

    All you need to know about the advanced encryption standard

    an infographic showing how data gets encrypted; it gets split into smaller units and is rearranged into different places

    AES (Advanced Encryption Standard) is referred to as a block cipher because it splits the data into blocks and applies different cryptographic keys to each. Both the keys and blocks are measured in bits. And the keys come in different sizes 128, 192, and 256 bits. Hence AES-256 produces 256 blocks of ciphertext from 256 blocks of plaintext.

    The longer the encryption key, the longer it takes to crack it. And the longer it takes to crack, the more robust the encryption is. It would take billions of years for the fastest computer on Earth to brute force AES-256.

    AES-256 encryption is a widely utilized cryptographic standard because there are no known ways to decrypt a message encoded with it in a lifetime. It’s trusted by NordVPN and Surfshark, as well as most of the VPN industry.

    What does encryption do in a VPN? 

    Encryption is what puts “private” in Virtual Private Network. Let me demonstrate with an example what happens when you try to use a VPN to access a geoblocked website:

    1. You send the request (by going to the website) to your VPN client (app, browser extension, etc.);
    2. The VPN client receives your requests and establishes an encrypted VPN tunnel to the VPN server, which it uses to send encrypted data;
    3. As the server forwards your request to the internet (the website you’re trying to access in this case), the data is decrypted;
    4. The website accepts the request and sends it back to the server;
    5. The server then encrypts the data again and sends it to the VPN client;
    6. Finally, your VPN client decrypts and sends the data back to you.

    It’s a complicated process, but with the processing power of today’s devices, it happens in moments. Now, let’s explain just the encryption part of the protocol. 

    How does VPN encryption work? 

    Computer geeks have developed ways to create secure channels over the insecure internet. Here are four steps explaining how secure encryption is achieved over a VPN connection.

    Step 1: Asymmetric key exchange
    Step 2: Symmetric key exchange
    Firstly, you do a handshake — a VPN client and a VPN server start communicating by exchanging asymmetric keys.

    Two encryption keys get made: public and private. The public one only encrypts data and is sent to the other party. They then use your supplied public key to encrypt data so only you can decrypt it.

    Thus, secure communication is established over an open channel.
    Secondly, you do a symmetric key exchange. A new and unique key is created. It’s going to be used by an encryption algorithm to transfer the data.

    Every session gets a new and unique key. At this point, you will have achieved perfect forward secrecy.

    That means if your encrypted channel from the previous step was compromised, the symmetric key exchange makes sure your data stays secure.

    If somebody wanted to see the data, they’d have to decrypt each session separately.
    Step 3: The encryption algorithm
    Step 4: Integrity algorithms
    Thirdly, the encryption algorithm uses the symmetric key derived before.

    AES-256-GCM, which we mentioned earlier, is one of them. You now encrypt all your data with it.
    Finally, integrity algorithms are utilized to check if anyone messed with the data in transit.

    Simply put, you use a mathematical hash function to scramble a part of the information that you’re sending. The receiving party can now check both this function and your private key. If we have a match, the information hasn’t been interfered with.

    And that’s it! All of this might sound complex, but it doesn’t require your interaction at all. You click the “Connect” button, and the app puts those VPN clients to work.

    What do VPN protocols have to do with encryption?

    A VPN protocol is a set of procedures outlining all the steps taken to create and maintain a VPN connection, including encryption. However, many VPN protocols aren’t as safe as you’d want them to be due to their obsolete encryption.

    Currently, AES-256 is employed by every reputable VPN protocol under the sun. One of the main reasons you should never, ever use PPTP is that it uses 128-bit encryption. 

    Everyday use; putting a VPN on routers
    Mobile devices, short-range connections, everyday use
    The hottest new thing for everyday use
    Everyday use
    A tunneling protocol; no reason to use it outside ancient technology
    A Microsoft tunneling protocol; for connecting Windows devices
    No reason to use it as IKEv2 is better in every way

    Surfshark VPN uses IKEv2/IPsec, OpenVPN, and WireGuard with the AES-256-GCM algorithm, which is faster than only AES-256

    How to check if your VPN is encrypted

    You can test VPN encryption with GlassWire or Wireshark. Both of these tools are free to download and use.

    Wireshark is more precise in testing VPN encryption because it checks individual data packets going in or out of your device. However, unless you’re very suspicious of the VPN you’re using, GlassWire should be enough.

    Test VPN encryption with GlassWire

    1. Download GlassWire and follow the installation process;
    2. Run the program;
    3. Connect to a VPN of your choice;
    4. Do something that generates traffic on the internet (watch a video or download a file);
    5. Select Usage;
    6. Go to the Apps menu on the left;
    7. Search for the VPN type you’re using (e.g., if you’re connected to OpenVPN, find OpenVPN Daemon) and click on it;
    8. Verify the traffic type.

    Now you can inspect if the VPN is routing traffic securely.

    Test VPN encryption with Wireshark

    1. Download Wireshark and follow the installation process;
    2. Run the program;
    3. Choose the network to capture: wired (Ethernet) or wireless (Wi-Fi), and click on it;
    4. Click on packets of data and inspect them.

    If the packets appear unreadable/gibberish and there’s nothing written in plain text, then it means your VPN is encrypted.

    An example of encrypted data:

    encrypted data

    Why is encryption needed?

    VPNs establish secure and private communication tunnels between a device and the internet. The security part is achieved using encryption.

    For instance, if a hacker intercepts the data stream from your device, they can listen in on your conversations over VOIP (Voice Over IP, like calls on Messenger), see you inputting your passwords, and even inject malicious data using the man-in-the-middle attack.

    A VPN encrypts that data. So even if a hacker were to intercept, your data would be unintelligible and rendered unusable to the hacker, therefore secure. There’s another use for encryption.

    Because your data isn’t private

    I believe a person deserves privacy, and it should be up to you what you disclose to the rest of the world. Your mobile service provider sees what you scroll through; your internet service provider knows your browsing habits; the web pages you frequently visit know what you like.

    That’s because of how internet data traffic flows — it passes through your provider’s servers, and that’s how you access the internet. And that is fine as long as nobody uses your data against you or benefits from it.

    Of course, there are data protection laws, but encrypting it is a surefire way of making it inaccessible to anyone but you and the intended recipient. As the saying goes, ‘‘Better safe than sorry,’’ and use a VPN.

    The takeaway: get a VPN with strong encryption

    VPN encryption is a complex and technical subject. However, I hope you found my explanations, metaphors, and simplifications easy to follow. If I did my job well enough, you should know much more about what a VPN is.

    What can you do with this information? Get a VPN with trustworthy encryption to boost your online privacy and security when streaming your favorite content online. May I suggest Surfshark?

    Experience the power of AES-256-GCM encryption

    Get Surfshark


    Are all VPNs encrypted?

    All VPNs should be encrypted otherwise, they wouldn’t be private. On the other hand, free VPNs are shady and could be skipping out on encryption. 

    Is VPN encryption end-to-end?

    No, the traffic is only encrypted between you and the VPN server. If the VPN server didn’t decrypt the data before forwarding it, the recipient couldn’t read it. 

    Does a VPN encrypt all of your data?

    Yes, a VPN will encrypt all the data you send over the internet. It also encrypts all the data a VPN is installed on — if it’s installed on a router, then a VPN will encrypt the data passing the router; if a VPN is installed on a laptop, it’ll encrypt a laptop’s data, and so on.

    What is the best VPN encryption?

    The best VPN encryption currently is AES-256 for OpenVPN and IKEv2, while ChaCha20 is best for WireGuard. So make sure to look to download a VPN that uses these encryption algorithms together with secure VPN protocols.