3.5B
encrypted connections made every second globally
256-bit
AES key length — standard across banking and messaging
90%
of data breaches involve improperly secured data, not broken encryption
Right now, your phone is encrypting something.
Every message you send. Every banking transaction you make. Every time you load a page with a padlock in the address bar. Encryption is happening — silently, instantly, billions of times a second — and most people have no idea what it actually does.
That’s worth fixing. Not because encryption is complicated. But because understanding it changes how you read the word “secure” — and whether you believe it.
This article explains what encryption is, how it works, what it protects you from, and — critically — what it doesn’t. By the end, you’ll have a working mental model that actually holds up in the real world.
You’re Already Using Encryption — Right Now
You don’t have to opt in to encryption. You’re already in.
When you open WhatsApp, your messages are encrypted before they leave your phone. When you log into your bank, your password travels through an encrypted channel. When you type your card number into a checkout page, encryption scrambles it before it touches the internet. The padlock icon in your browser? That’s your browser confirming an encrypted connection is active.
Encryption is not a feature you turn on. It’s infrastructure — like the plumbing in a building. You don’t think about it. It just runs.
To make it concrete: here is what actually happens when you log into your bank. Your browser and the bank’s server exchange cryptographic credentials and agree on a shared secret — all in under 300 milliseconds. Every byte of data that follows — your username, your password, your account balance — travels inside an encrypted tunnel that your internet provider, your router, and anyone sitting on the same public Wi-Fi cannot read. You see a login screen. Under the hood, three separate cryptographic operations have already completed before you typed a single character.
The problem is that “encrypted” has become a marketing word. Every app, every service, and every bank claims it. And because most people don’t know what encryption actually does, they cannot tell a strong implementation from a weak one — or a real claim from a vague one.
That’s the gap this article closes.
What encryption actually means
Encryption converts readable data — a message, a password, a bank transfer — into an unreadable scramble using a mathematical key. Without the correct key, the scramble is useless to anyone who intercepts it. That's the complete definition. Everything else is detail.
That’s it. Everything else is detail built on top of that one idea.
How Encryption Actually Works — No Maths Required
Think of encryption like a lockbox with a specific combination.
You put your message in the box. You lock it with a combination that only you and the intended recipient know. Anyone who intercepts the locked box sees nothing useful — just a sealed metal container. The recipient opens it with the same combination and reads the message.
That’s symmetric encryption in one paragraph — the same “combination” (called a key) locks and unlocks the box on both sides.
Now imagine a different scenario. You want to receive private messages from anyone — strangers included — without sharing a secret combination with each of them first. So instead, you install a public letterbox on your front door. Anyone can drop a letter in (they use your public key to encrypt it). But only you have the key to open the letterbox and read what’s inside (your private key).
That’s asymmetric encryption — and it solves a problem symmetric encryption can’t: how do you share a secret with someone you’ve never met?
Symmetric Encryption
The Lockbox
One key. Locks and unlocks. Both sides must have the same combination. Fast — ideal for bulk data. Problem: how do you share the combination safely?
Asymmetric Encryption
The Letterbox
Two keys. Anyone can post a letter in (public key). Only you can open it (private key). Slower — but solves the combination-sharing problem entirely.
In real life, almost every secure connection uses both. When your browser connects to a bank’s website, it uses asymmetric encryption to establish a secure channel and agree on a shared secret. Then it switches to symmetric encryption for the actual data transfer — because symmetric is much faster for large volumes of data. This is what TLS (the protocol behind HTTPS) does under the hood.
The process is called a TLS handshake, and it happens in milliseconds every time you visit a secure website. You never see it. It just works.
There is also a third concept worth knowing: hashing. Hashing is a one-way process — it converts data into a fixed-length string that cannot be reversed. Unlike encryption, there is no key and no decryption step. When a website stores your password, it should store a hash of your password, not the password itself. When you log in, the site hashes what you typed and compares it to the stored hash. If a database is breached, the attacker gets hashes — not passwords. Whether that protects you depends entirely on how the hashing was done. Weak algorithms (MD5, SHA-1) can be cracked quickly. Strong ones (bcrypt, Argon2) cannot, practically speaking.
Why AES-256 is the global standard
A 256-bit key has 2²⁵⁶ possible combinations. Every computer on Earth working together for billions of years could not brute-force it. When you see "AES-256" on an app or service, the underlying encryption is as strong as anything commercially available today. The encryption is not the weak point. The implementation around it usually is.
The Two Types of Encryption — and Why Both Exist
Encryption broadly divides into two families. Every implementation you encounter sits in one of them.
Symmetric Encryption
One key. Same key encrypts and decrypts. Fast, efficient, excellent for large data volumes.
Where you see it: File encryption on your laptop (BitLocker on Windows, FileVault on Mac), database encryption in banking systems, encrypted cloud storage, the data transfer phase of every HTTPS connection after the handshake.
The weakness: Key distribution. If both sides need the same key, how do you securely get that key to the other person in the first place? You cannot send it over an unencrypted channel — that defeats the purpose entirely. This is the key distribution problem, and it is why symmetric encryption alone is impractical for internet communication between strangers.
The most important algorithm: AES (Advanced Encryption Standard) — specifically AES-256. Adopted as a US federal standard in 2001. Used everywhere from WhatsApp to banking systems to government infrastructure. When something is AES-256 encrypted, the encryption itself is not the weak point. The implementation around it usually is.
- ✅ Fast — ideal for large data volumes
- ✅ Low computational cost
- ❌ Both sides must share the same key
- ❌ Key distribution is unsolved
- 📦 Used for: file encryption, database encryption, bulk data transfer
- ✅ Solves key distribution — no pre-shared secret needed
- ✅ Public key can be shared openly
- ❌ Slow — not suitable for bulk data
- ❌ Computationally expensive
- 📦 Used for: TLS handshake, email encryption, digital signatures
Asymmetric Encryption
Two keys. Public key encrypts. Private key decrypts. Slower and more computationally expensive — but it solves the key distribution problem that symmetric encryption cannot.
Where you see it: The TLS handshake that establishes every HTTPS connection, email encryption (PGP/GPG), digital signatures on software packages, certificate verification when your browser checks whether a website is who it claims to be.
The weakness: Speed. Asymmetric encryption is orders of magnitude slower than symmetric. You would not use it to encrypt a 10GB database. You use it to securely exchange a symmetric key — then hand the actual data transfer off to symmetric encryption.
The most important algorithms: RSA (2048-bit minimum, 4096-bit for sensitive applications) and ECC (Elliptic Curve Cryptography — achieves equivalent security to RSA with much smaller keys, making it well suited to mobile devices and environments where computing power is limited).
Why Both Exist
Not because one is better. Because they solve different problems. Symmetric is faster but requires a pre-shared secret. Asymmetric solves the secret-sharing problem but is too slow for bulk data. Every real-world secure system combines them — asymmetric to establish trust and exchange a session key, symmetric to transfer data from that point on.
This is not an either/or. It is always both.
The real-world pattern
TLS 1.3 — the protocol securing this page right now — uses asymmetric cryptography (X25519 key exchange) to agree on a session key in one round trip. It then uses symmetric encryption (AES-256-GCM) for every byte of data after that. Asymmetric to meet. Symmetric to talk.
Quick check — test your understanding
Your bank uses HTTPS. What does this tell you?
What does AES-256 mean in practice?
Why do secure connections use both symmetric and asymmetric encryption?
What Encryption Protects You From — and What It Doesn’t
✅ What Encryption Protects
❌ What Encryption Does NOT Protect
Encryption is a component — not a solution
It protects data in transit and at rest. It does not protect against compromised devices, social engineering, poor implementation, or metadata exposure. Anyone claiming their product is "secure because it uses encryption" is giving you one piece of a much larger picture.
2024
Year NIST finalised first post-quantum cryptographic standards
RSA + ECC
Algorithms at risk from quantum computers — currently used everywhere
10–15 yrs
Planning horizon for organisations with long-lived sensitive data
A Note on What’s Coming Next: Post-Quantum Cryptography
Current encryption standards — AES-256, RSA, ECC — are secure against every computer that exists today. But quantum computers, if they reach sufficient scale, would break RSA and ECC by solving the underlying mathematical problems in hours rather than centuries.
This is not a today problem. Practically useful quantum computers capable of breaking RSA-2048 do not yet exist. But the timeline is shortening. In 2024, NIST finalised its first post-quantum cryptographic standards — new algorithms specifically designed to resist attacks from both classical and quantum computers. Major technology companies and government agencies are already beginning migration planning.
For most readers, this requires no action today. For anyone responsible for systems with a long data sensitivity horizon — financial records, health data, legal records — post-quantum migration is already a legitimate risk management question worth understanding. The encryption you choose today for long-lived data may need to last well beyond the point where quantum threats become real.
This is a topic Threat Manifest will cover in more depth as standards and timelines mature. For now, the key point is that encryption is not static — it evolves as computing power and threats evolve alongside it.
Do you need to act now?
For personal use — no. AES-256 is quantum-resistant by design. For organisations storing data that must remain confidential for 10+ years — financial records, health data, legal documents — start asking your vendors about post-quantum migration roadmaps. The window to plan is open. The window to panic is not yet.
Where to Go From Here
Encryption is the foundation. Everything built on top of it — secure messaging, banking security, compliance frameworks, password managers — depends on getting this fundamental right.
Encryption requirements run through every major compliance framework on this site. SWIFT CSCF controls reference cryptographic requirements directly across multiple mandatory controls. PCI DSS v4.0 Requirement 4 mandates encrypted transmission of cardholder data. ISO 27001 Annex A.10 addresses cryptography as a dedicated control category.
If you are implementing encryption controls in a regulated environment and need assessment-level guidance, the consulting page explains how I work with banks and financial institutions on exactly this.
Implementing encryption controls in a regulated environment?
SWIFT CSP, PCI DSS, and ISO 27001 all mandate specific cryptographic configurations — and the gap between "we use AES-256" and a clean assessment finding is almost always in key management, protocol versions, and cipher suite configuration. I work with banks and financial institutions on exactly this. No commitment — response within 48 hours. Enquire at /consulting
Encryption is not magic. It is mathematics — well-understood, rigorously tested, and publicly scrutinised. The algorithm is rarely the problem. The implementation, the configuration, and the context around it almost always are. Understanding the difference is where real security knowledge begins.
External reference: NIST Cryptographic Standards and Guidelines — the authoritative source for encryption standards used globally, including the newly finalised post-quantum standards.
Encryption is a component, not a complete security solution. It protects data in transit and at rest, but it cannot compensate for compromised devices, weak configurations, or users being tricked into handing over secrets.
You open your laptop in a café and connect to the free Wi‑Fi. You browse to your bank’s website and see the padlock icon in the address bar.
Behind the scenes, your browser performs a TLS handshake with the bank’s server using asymmetric encryption to agree on a shared session key. Once that’s done, all of your traffic — including your username, password, and account data — is protected with fast symmetric encryption (typically AES-256).
An attacker on the same Wi‑Fi network can see that you’re talking to your bank and how much data you’re sending, but without the keys they can’t read the contents. If you were tricked into visiting a phishing site with a padlock, though, the connection would still be encrypted — you’d just be encrypting your credentials for the attacker instead of your bank.
“Anyone claiming their product is "secure because it uses encryption" is giving you one piece of a much larger picture.”
| Framework / Standard | Relevant Section | What It Expects Around Encryption | |
|---|---|---|---|
| SWIFT CSCF | Cryptographic controls | Multiple mandatory controls reference TLS and cipher requirements | → SWIFT CSP |
| PCI DSS v4.0 | Requirement 4 | Encrypted transmission of cardholder data across open, public networks | → PCI DSS |
| ISO 27001 | Annex A.10 | Cryptography — policy on use of cryptographic controls and key management | → ISO 27001 |
Yes. AES-256 is widely regarded as secure against all known practical attacks with today’s computing power. When you see AES-256 used correctly in modern protocols like TLS 1.2+ or TLS 1.3, the encryption itself is not the weak point — configuration, key management, and endpoint security usually are.
The padlock only means the connection between your browser and the site is encrypted using HTTPS. It does not guarantee that the site is legitimate or trustworthy. Phishing sites can and do use HTTPS. Treat the padlock as a sign that no one can eavesdrop easily on the connection, not as proof that the site is genuine.
Encryption is reversible: data is scrambled with a key and can be unscrambled with the correct key. Hashing is one-way: data is transformed into a fixed-length output that cannot feasibly be reversed. Passwords should be stored as salted, slow hashes (e.g. bcrypt, Argon2), not encrypted, so that even if a database is breached attackers cannot easily recover the original passwords.
No. Encryption protects data in transit and at rest, but once you unlock a device or open an app, the data is decrypted for you to use. Malware running on the device can usually read that decrypted data as well. That’s why endpoint security, patching, and cautious behaviour are just as important as strong encryption.
Quantum computers powerful enough to break widely used public-key algorithms like RSA-2048 do not exist yet, but research is progressing. Standards bodies such as NIST have already selected post-quantum algorithms to replace RSA and ECC over time. For most people, this is not an immediate concern, but systems that must protect data for decades should start planning for post-quantum migration.