Symmetric Encryption: How AES Keeps Data Secret
Hashing proves integrity. Encryption proves secrecy. AES-256 is the current standard for symmetric encryption — here's what it actually does and where it falls short.
Symmetric encryption uses the same key to encrypt and decrypt. That distinguishes it from asymmetric (public-key) encryption, where the two operations use different keys. AES is the dominant symmetric cipher — it's in TLS, disk encryption, VPNs, file archivers, and most password managers.
What AES does
AES operates on 128-bit blocks of data. It takes a block and a key, runs it through 10, 12, or 14 rounds of mixing operations (depending on key size: 128, 192, or 256 bits), and produces an encrypted block the same size as the input. The operations — byte substitution, row shifting, column mixing, key addition — are individually simple. Their combination is what makes the output look completely random.
AES-256 (256-bit key, 14 rounds) has no known practical attack. The keyspace is 2²⁵⁶, which is not brute-forceable. If the cipher itself is your threat model, AES-256 is overkill. If anything breaks AES-256, you have bigger problems than your specific application.
Modes of operation
AES encrypts one 128-bit block at a time. For anything larger, you need a mode of operation — a scheme for chaining blocks together.
ECB (Electronic Codebook): the same block produces the same output. Never use this. It's the mode that makes the famous "encrypted Linux penguin" image — the shape is still visible because identical pixel blocks encrypt identically.
CBC (Cipher Block Chaining): each block is XORed with the previous ciphertext block before encryption, so identical plaintext blocks produce different ciphertext. Better, but still has vulnerabilities (BEAST, POODLE attacks) and requires padding.
GCM (Galois/Counter Mode): turns AES into a stream cipher and adds an authentication tag. The tag verifies the ciphertext hasn't been tampered with — GCM gives you both encryption and integrity in one pass. This is the current standard. Use AES-256-GCM for anything new.
The IV and why it matters
GCM requires an Initialisation Vector (IV) — a random value mixed in before encryption. Encrypt the same plaintext twice with the same key but different IVs and you get different ciphertext. This prevents the ECB problem.
Critical rule: never reuse an IV with the same key. If two messages are encrypted with the same key and same IV in GCM mode, an attacker who intercepts both can recover your key. The IV is not secret — it's stored alongside the ciphertext — but it must be unique per message.
The key problem
AES is secure. The weak link is usually the key. Human-chosen passwords have far less entropy than a 256-bit random key. If you derive an AES key from a password without a proper KDF (PBKDF2, Argon2), the effective keyspace shrinks to the size of your password's entropy. We covered this in the blog post on key derivation.
The AES tool on this site uses PBKDF2-SHA256 with 100,000 iterations and a random 16-byte salt to derive the key from your passphrase, and AES-256-GCM for the cipher. That's the correct pattern.