When choosing a VPN, encryption should be a top consideration. But what exactly is it, and how strong does your VPN protocol need to be to guard your security online? Today, we’ll show you everything you need to know, and recommend the VPNs with the best encryption on the market.
Virtual private networks are extraordinarily powerful tools that bestow a number of benefits to their users. With a VPN you can stop your ISP from tracking you, bypass government level censorship blocks, watch movies on Netflix from other countries, and keep your online communications safe from prying eyes. To top it all off, VPNs are inexpensive and extremely easy to use, making them an indispensable addition to any modern internet connected device.
No time to read our encryption guide? Here’s the lowdown on which VPNs just work the best:
- NordVPN – Strongest VPN Encryption – NordVPN’s myriad privacy provisions include specially optimized servers, tons of fail-safes, flexible encryption ciphers, and every tunneling protocol under the sun.
- Surfshark – Does away with the outdated bloat in favor of modern security methods you’ll actually use.
- ExpressVPN – Flexible encryption and routing, blazing fast speeds.
- VyprVPN – Impress and confound your friendly neighborhood hackers with the unbreakable Chameleon protocol.
Most of what makes VPNs so useful is due to encryption, a process that wraps data with randomized code to make it impossible to identify or read without first decrypting it. You don’t have to understand the underlying principles of cryptography that makes encryption work, but it’s useful to be familiar with the basics. That way, when you see VPN companies shouting about L2TP/IPSec and 256-bit AES encryption, you’ll know exactly what they’re talking about.
What Is Cryptography?
Cryptography is a field of study that focuses on techniques for secure communication. Most people think of it in relation to codes developed by governments to send messages that wartime enemies couldn’t read. Greatly simplified forms of cryptography can be found in children’s toys like decoder rings and cipher wheels, as well. Modern digital cryptography takes that knowledge and makes it vastly more intricate, leveraging the number-crunching power of computers to create randomized codes no one can crack, not even with the most advanced computers in the world.
Cryptography is the underlying science that makes VPNs possible. Whenever someone says “data is encrypted”, it means a complex cryptography pattern was generated using a mathematical formula and used to hide the data in question. That pattern makes information unreadable unless the correct cipher is used. The analogy of a lock and key is often used to describe encryption, but cipher keys are infinitely more complex than anything you could put on a key ring.
How VPN Encryption Works
Encryption is used throughout the technology world to provide privacy and security to all sorts of data. Android and iPhone devices can encrypt local files to make them impossible to steal, online shopping sites encrypt credit card information, and messaging services and VoIP programs encrypt data to keep it safe from hackers and nefarious third parties. Encryption turns ordinary information into secure information, and there’s very little downside to the entire process.
We can compare the VPN encryption process to sending a letter through the mail. Instead of the postal service we have VPN providers. Instead of paper we have packets of data, and instead of envelopes we have secure cryptography patterns locked with incredibly complex keys.
Anytime you do anything online you send out thousands of packets of data. Those packets are requests you made in your browser, such as downloading a file or receiving a web page after typing in the URL. Data packets are normally sent across the internet in a plain format, sort of like mailing a postcard in real life. The postcard has an address so the postal service knows where to deliver it, but its contents are out in the open, making it easy for anyone to read it.
RELATED READING: How to stay safe on public Wi-Fi
With VPN encryption you can send letters just like before, only now each one is stuffed into an envelope no one can open except the intended recipient. Data packets are stuffed in cryptographic envelopes by the VPN software on your computer, then sent to your local service provider as normal. ISPs are known to keep logs of user activity, which is akin to photocopying postcards and stacking them in the corner. If you send encrypted data through an ISP, however, all they’ll do is photocopy the envelope, leaving your data secure inside.
Because each encryption envelope contains an address, your ISP quickly sends it along to the next destination: your VPN provider. The VPN company has a cipher key to unlock the envelope, which is necessary to actually process your request. The VPN carries out the instructions contained in the letter, such as downloading the cat pictures you wanted to look at, then seals everything up in another cryptographic envelope. That envelope is sent through your ISP and to your computer, at which point your local VPN software uses a cipher to decrypt the contents, opening the letter and showing you the information you requested.
Basics of Encryption and VPN Cryptography
The letter and envelope analogy is a greatly simplified version of what goes on when a VPN encrypts your data. The important thing is encryption hides data from third parties and can only be decrypted by users with the correct mathematical keys, i.e. your computer and the VPN provider. With that in mind, we can now take a look at the more detailed aspects of cryptography and cover a few terms you’ll run into while researching online security and VPNs.
There are two basic methods of encryption: public key (asymmetric) and private key (symmetric). Both accomplish the same end goal of obscuring data from prying eyes. Each one goes about it using different tools and has its own set of strengths and weaknesses.
- Private Key Encryption – In this scenario, two identical private keys are generated when data gets encrypted. Anyone with either of these keys can send and receive letters to each other, making the transaction completely balanced. One of the drawbacks to symmetric encryption is finding a secure way to share these keys in the first place. After all, if someone intercepts the key, they can open your envelopes. That’s why public key encryption is often used first, which allows the VPN to share symmetric keys securely.
- Public Key Encryption – There are two mathematically matching keys involved in an asymmetric exchange: public and private. Using the envelope example above, if a user has a public key they can open the envelope and add letters to it, but they can’t see letters that are already there. Private key holders can see everything in the envelope and remove whatever they like, but they can’t add things to it key. This is what makes public key encryption asymmetrical, since key holders don’t have the same abilities as each other.
VPNs generally use asymmetric encryption first to exchange symmetric keys, which is something like locking a box, then placing that box inside of another box with a separate key.
Explaining AES, OpenVPN, L2TP/IPSec, PPTP, SSL, and SSTP
It’s great to see such a wide variety of protocols supported by so many VPNs. It’s worth noting that most people will never have cause to use them, however. A VPN connection using 128-bit AES encryption and OpenVPN is the best method to use in most scenarios. Unless you need a specific benefit offered by an alternate method, stick with the basics for the best balance of privacy and speed.
Below is a quick rundown of some of the security protocols and encryption types employed by VPN services.
- AES – AES stands for Advanced Encryption Standard. It’s currently the most widely used specification for electronic data encryption and is considered the most secure form of encryption available. Some privacy advocates worry that because AES was approved by the NSA, the agency might know of some hidden weakness it can exploit. This is highly unlikely, of course.
- OpenVPN – The OpenVPN protocol is used by most VPNs to handle encryption traffic both to and from the user’s computer. It essentially pulls together a variety of other protocols and allows them to work together. OpenVPN offers the best balance of speed and security, which is why it’s the main protocol deployed by the vast majority of VPNs on the market.
- L2TP/IPSec – Layer 2 Tunneling Protocol (L2TP) is a method for delivering data from one device to another. Since L2TP doesn’t offer any kind of encryption, it’s almost always paired with Internet Protocol Security (IPSec), which negotiates the cryptographic keys to create a VPN-like environment. L2TP/IPSec is more secure than OpenVPN and can help users get through firewalls that block VPNs, but it can be extremely slow.
- PPTP – Point-to-Point Tunneling Protocol is a commonly used form of VPN that sends data packets through a private tunnel. It’s incredibly fast and easy to set up and maintain, but it doesn’t offer encryption like most VPN protocols.
- SSTP – Secure Socket Tunneling Protocol is an excellent alternative to standard protocols in areas where VPNs are forbidden. It uses a different port and different tunneling methods than other protocols, which allows it to be nearly undetectible and incredibly secure. The main downside is it only works with the Windows operating system, as Microsoft created and owns SSTP in its entirety.
- SSL/TLS – Transport Layer Security and its predecessor Secure Sockets Layer are less commonly seen in the VPN market as compared to the other protocols. Both use a unique cryptographic protocol that mimics the functioning of a VPN. SSL is most commonly used by websites that deliver secure HTTP connections, such as online shopping sites or secure e-mail services. The advantage is that SSL is better at symmetric transfers, though this can be difficult to implement.
Bigger Keys Means Better Privacy
All this talk about keys is a bit abstract. You might think of a key as a hunk of metal with ridges on the side. You might also think how easy it is to make copies of those keys or to pick the locks those keys supposedly protect. The good news is that cipher keys are infinitely more complex than a metal key, and the locks they open are just as intricate.
Most VPNs use either 128-bit or 256-bit keys. To put that in perspective, if you wanted to guess the correct key for a packet of data secured with 128-bit encryption, you’d have to try over 339,000,000,000,000,000,000,000,000,000,000,000 (339 decillion) possible combinations. That would take the fastest supercomputers over a million years to complete. Bumping the key complexity up to 256-bit increases that complexity exponentially. Either way, that’s more than enough security for all of your online needs.
Encryption’s Biggest Weakness
When security breaches happen, it’s almost always due to user error or some sort of backdoor. The brute force approach to cracking encryption keys is practically impossible to achieve, which is why most attackers and third parties opt for workaround methods to get the data they’re interested in. This boils down to the people and the companies that handle your data. It may take millions of years to crack a 256-bit key, but it only takes a few minutes to call an unscrupulous VPN provider and ask for their logs.
LEARN MORE: What are VPN user logs?
Encryption’s biggest weakness are the people that surround it. This is why it’s so important to use a VPN you can trust. If the VPN provider hands out keys to third parties or doesn’t really deliver the encryption they promised, your data is as good as gone. Free VPN services are notoriously unscrupulous with user information. If they can sell a few logs to make some money, they’ll do it. Well-established VPN providers with a strong privacy records are always worth the small monthly investment.
Beyond Encryption – Differences between VPN Services
Armed with all of this knowledge about encryption and cryptography, how do you use it to select a better VPN? There are hundreds of choices on the market, each delivering a slightly different take on digital security packages. One thing they all provide is adequate encryption, so making the right choice largely comes down to additional features and your own personal needs. Remember: the weakest link in your digital privacy isn’t encryption itself, but the features and practices surrounding it.
Below are some of the important factors you should consider when looking at a potential VPN service.
- Encryption strength – You won’t find a lot of variation between VPN services when it comes to encryption. The vast majority of providers deliver 128-bit or 256-bit AES encryption, which is perfectly suitable for almost all online activities. Anything stronger often results in an incredibly sluggish performance.
- Logging policy – You might think that logging encrypted data is no big deal. After all, isn’t it useless in its unreadable encrypted form? Remember that VPNs hold the keys to decrypt this data, however, and if third parties demand access, they also demand access to the keys. While there are a variety of things VPNs can log without harming your privacy, make sure traffic logs are strictly forbidden.
- Jurisdiction – Strong encryption and a zero-logging policy are great, but none of that matters if your VPN is located in a country that doesn’t care about the rights of the individual. Places like China, the UK, the U.S.A., Australia, Canada, and other nations are notoriously quick to engage in mass surveillance. If your VPN is registered in one of these countries, they could be forced to secretly log data and provide government access as needed.
- Speed – The one downside to encryption is that it adds data to each packet of information. Added data means larger file sizes, and larger file sizes means more information is sent through your connection, which leads to slower downloads. The best VPNs have clever workaround that provide speed without sacrificing privacy.
- Free trials and money back guarantees – If you just can’t make up your mind, give a few VPNs a test run. Some providers offer short free trials, extremely low-cost day passes, or money back guarantees. This allows you to test the service in a variety of situations to see how seamless the experience is.
- Other features – The defining features for any VPN often rest in the “other” category. Some VPNs offer built-in firewalls, anti-virus software, and adblockers, which might be exactly what you’re looking for. Others have better custom software or stronger support for Android and iOS devices. Checking out the additional features will often help you decide which VPN is right for you.
Recommended VPNs with Strong Encryption
Still can’t decide which VPN is right for you? We used the criteria above to select a few of the best VPNs on the market. Each one offers incredibly strong encryption, enough to ensure your data can never be read by unauthorized eyes. Take a look at some of their features below, and don’t hesitate to sign up and start protecting your online privacy!
If you want the toughest encryption around, NordVPN is the way to go. The company runs a massive network of nearly 5,600 servers in 60 different countries, more than most other providers could even dream of. They use this variety to offer incredibly smart privacy services on select servers, including their famous Double Encryption process. By using select parts of the NordVPN network, you can wrap your traffic in 2048-bit SSL encryption for the ultimate in online security.
NordVPN features sleek, easy to use apps for all major operating systems and mobile devices. It also boasts one of the most comprehensive zero-logging policies in the market (they’ve even had it independently verified to quell all doubt). NordVPN’s jurisdiction in the privacy-friendly country of Panama, a tremendous boon for privacy-conscious users. For full anonymity, the company accepts bitcoin payments.
Read our full NordVPN review.
- SPECIAL OFFER: 2-yr plan (68% off - link below)
- Over 5,400 servers in 61 countries
- Torrenting/P2P explicitly allowed
- “Double” data protection
- Live Chat Support.
- Some servers can have average d/l speeds
- Apps can be a bit cumbersome to use.
Surfshark just launched in 2019, and this scrappy young provider is determined to replace tired old industry norms with cutting-edge privacy solutions. For one, they’ve upgraded their encryption cipher to 256-AES-GCM, currently the most powerful commercially available with reduced overhead for faster speeds. Moreover, they’ve dropped outdated tunneling protocols in favor of OpenVPN, IKEv2/IPSec, WireGuard, and Shadowsocks (Windows only).
Another puzzling VPN tradition is limits on bandwidth, server switching, and even simultaneous connections. Surfshark does away with them all, allowing you to use their network however and as often as you like. Sure, the network still has room to grow at just north of 800 nodes, but the coverage is there with 50 countries represented–and it’s growing all the time.
Finally, Surfshark has enjoyed the scrutiny of independent auditors verifying the claims of their no-logging policy. (Spoiler: they passed with flying colors).
- Every server optimized for unblocking Netflix, BBC iPlayer, Hulu, and more
- Over 800 servers in 50 countries worldwide, and constantly growing
- CleanWeb mode blocks ads and popups before they load, saving your mobile data and speeds
- Favorable BVI jurisdiction guarantees no logs kept
- Get help any time of day via email, phone, or live chat.
- Overall, not much to complain about
- Power users may wish for more settings to fiddle with.
Read our full Surfshark review.
ExpressVPN is aptly named, as the service delivers consistently fast speed results across most of its network. This holds true for users in India connecting to the U.S., UK users on South American servers, and every other combination you can think of. No matter where you live or where you want your virtual location to be, ExpressVPN can hook you up with a fast, reliable connection, plain and simple.
ExpressVPN offers an excellent selection of custom apps for Windows, Mac, Linux, Android, iOS, and more. There’s also a speed test option built into several versions of its software, so you can always tap into the lightning fast connection speeds across the entire network. Jurisdiction in the British Virgin Islands is highly conducive to privacy friendly policies and won’t you leave you at the mercy of overbearing governmental regulations and snooping. Finally, there are zero traffic logs kept, so you never leave a trace of your online activity behind.
Read our full ExpressVPN review.
- Unblocks US Netflix, BBC iPlayer and other streaming services
- 94 countries, 3,000+ servers
- Very simple and easy to use
- No logs for personal data
- 24/7 Live Chat.
- Expensive month-to-month plan.
While the speed test results and software offerings are great, VyprVPN has a strong reputation among privacy enthusiasts thanks to one unique feature: Chameleon. This protocol takes encrypted packets and wraps their meta data in an extra layer of security, roughly the equivalent of encrypting the address on an envelope you send through the mail. This makes it impossible for third parties to perform deep packet inspections to determine the origin or destination, which helps defeat firewall blockades and work around throttling efforts put in place by ISPs.
Features that set VyprVPN apart include support for a wide variety of operating systems, including desktops and smartphones; jurisdiction in Switzerland, a country known for its user friendly privacy policies; the unique Chameleon technology to help defeat VPN blocking firewalls; plus a comprehensive zero logging policy that covers both traffic and DNS requests.
Read our full VyprVPN review.
Now you should have a firm grasp on what encryption is, and how it is used to safeguard your privacy online. We’ve shown you everything you need to get started beating geoblocks, hiding your identity, and just generally existing in a state of heightened security when browsing and downloading. Each of our recommended VPN providers offers an incredible balance of privacy, performance and price, so you can get up and running in a matter of minutes.
Do you have any questions about encryption we didn’t answer in this article? Let us know in the comments below.
If you need a VPN for a short while when traveling for example, you can get our top ranked VPN free of charge. NordVPN includes a 30-day money-back guarantee. You will need to pay for the subscription, that’s a fact, but it allows full access for 30 days and then you cancel for a full refund. Their no-questions-asked cancellation policy lives up to its name.