Virtual private networks (VPNs) use encryption to protect your privacy. Find out about the three types of encryption that most VPN services use and why they need so many different encryption systems.

Cryptography Encryption

A VPN needs to block attempts by outsiders to intercept, read, alter, block, or substitute the contents of your internet connections. They achieve these tasks by hiding the entirety of all of the data and connection administration information that passes between your computer and the web servers with which it communicates. This is achieved by encryption.

There are many attack vectors that can break into your communications and so VPNs need to use three types of encryption. These are:

1. Symmetric encryption to protect data in transit
2. Public key encryption for data channel encryption key distribution
3. Hashing to confirm data integrity

In this guide, you will find out more about these three protection methods and how VPNs use them. The most secure system for VPN services is called OpenVPn. This is a library of functions that bring in whole protocols of security procedures when developers write VPN software. This system has the advantage of being open source so anyone can read the source code, which means that the producers of VPN software can’t slip in secret monitoring methods. This guide will focus on the encryption methods used for OpenVPN.

Symmetric Encryption

Symmetric encryption is the oldest category of cipher in the world. This is a code translation system that was first used in Roman times. Data is transformed by an algorithm. One variable in that algorithm is a factor that alters the outcome of the encryption. This is what is known as the “key.”

The identifying characteristic of a symmetric encryption cipher is that you need to have the same substitution mapping to encrypt text and decrypt the encoded message. This is why it is called “symmetric” – the same key is used by both sides. This type of cipher is also known as “shared key” or “shared secret” encryption.

Modern symmetric ciphers go far beyond a straightforward code shift system. One of the more complicated systems that these algorithms involve grouping text into a series of grids. The contents of each grid get transformed by the key block, shifted, scrambled and swapped in many different ways, according to the specifications of that encryption system. This strategy is called a block cipher and includes the most frequently used symmetrical key encryption systems used by VPNs.

The most common VPN data encryption ciphers that you will encounter are:

  • AES
  • Blowfish

You can read a little more about these ciphers in the following section.


The Advanced Encryption Standard was created by two Belgian cryptologists, Vincent Rijmen and Joan Daemen. The pair had created a cipher called Rijndael and they adapted this to form AES. The need for AES was identified by the US National Institute for Standards and Technology (NIST). The Institute was tasked with defining a secure encryption system that could be used by the US government and all of its agencies.

This cipher is trusted by governments worldwide and is probably the best encryption system to look for when you choose a VPN. Those who dislike AES generally distrust the system because it was specifically Adapted in order to fit the US government’s requirements. Some suspect that the government ordered a secret backdoor into the cipher to enable government agencies to decrypt the secret communications of AES users. However, despite a number of secret service whistleblowing events in the past few years, there have been no revelations or evidence that this backdoor exists.

AES is a block cipher that breaks up streams of data into arrays of 128 bits, which is 16 bytes. The key can be 128, 192, or 256 bits long. Each block is a grid of four bytes by four bytes. The number of passes of transformations depends on the length of the key:

  • 128-bit key: 10 rounds
  • 192-bit key: 12 rounds
  • 256-bit key: 14 rounds

Each round of transformation involves one of four operations: transformation through a bitwise xor with the key, a substitution step, a row shift phase, and a column mixing function.
AES is used by all of the major VPN providers, including ExpressVPN, NordVPN, CyberGhost, IPVanish, PrivateVPN, Surfshark, VyprVPN, ZenMate, PureVPN, StrongVPN, VPNArea, SaferVPN, Ivacy, GooseVPN, Windscribe, and HideMyAss.


The fact that AES was commissioned by the US government makes some people nervous. Those who distrust the security offered by the Advanced Encryption Standard preferred to use Blowfish.

Blowfish is the default data encryption cipher in OpenVPN. However, AES is in there too and most VPNs choose AES over Blowfish.

Blowfish was implemented by VPN companies that wanted to provide an alternative to AES. The creator of the cipher, Bruce Schneier, intentionally didn’t patent the algorithm so that it could be free to use by anyone. This is one of the reasons that it was included in the free and open-source OpenVPN system.

This is a block cipher and it uses a smaller array than AES. It has a 64-bit block, which is half the size of the AES grid. This makes the system a lot weaker than AES. Although the Blowfish cipher had a niche as an anti-establishment alternative to AES. However, its small block size makes it vulnerable to attack. No major VPN service offers Blowfish. It was available from Buffer and PrivateInternetAccess, but both of those VPNs have now dropped Blowfish in favor of AES.

The creator of Blowfish, Bruce Schneier, also now warns the public against using Blowfish and recommends Twofish, which is its successor. However, none of the major VPN providers have followed this advice. Those who used Blowfish have replaced it with AES. This means that when you are looking for a VPN, you need to get one that uses AES because no serious VPN provider would use anything else to protect data transmissions.

Public key encryption

AES provides the strongest protection possible for your data transfers. So why would a VPN need to use any other type of encryption?

An obvious security flaw with symmetric encryption systems is that both sides in a data exchange need to have the same key. If your VPN client has a store of AES encryption keys, it would need to send one of them over to the chosen VPN server in order to commence communications. However, it is more efficient for VPN companies to originate the encryption keys from their servers. Still, the problem of getting that key to the client working on your device exposes the system to a security risk.

It doesn’t matter how strong a symmetric key encryption system is, if an interceptor can acquire that key, he can decrypt all messages encrypted by it. Protecting the distribution of keys is essential to ensure the efficacy of VPNs. Public key encryption provides the solution to the vulnerability of key transmission.

In public-key encryption systems, the key used to decrypt a message is different to the one used to encrypt it. The decryption key cannot be derived from the encryption key, so there is no risk in letting everyone have access to the encrypting key. This is how the encryption methodology gets its name. The encryption key is made public, while the corresponding decryption key is kept private.

VPNs use public-key encryption to protect the transfer of AES keys. The server uses the public key of the VPN client to encrypt the key and then sends it to the client. The client program on your computer than decrypts that message using its own private key.
The transfer of AES keys occurs at the point that you click on the Connect button in the VPN interface on your computer or phone. The first phase of the connection is session establishment, which includes a number of security routines before the AES key is sent. These routines are all packaged together in a system called Transport Layer Security.

Transport Layer Security

Transport Layer Security (TLS) provides an authentication system that strengthens the security of public-key distribution and blocks interceptors from masquerading as the true correspondent in a connection.

TLS is not only used by VPNs. It is widely used on the internet and is the key security feature that makes web pages secure. When you see https:// at the beginning of a web page’s address instead of http://, TLS is in operation.

The forerunner of TLS was called the Secure Socket Layer (SSL). This was developed in 1995 by Netscape Corporation, which was an early producer of web browsers. HTTPS with SSL was first made publicly available in 1995 and the replacement of SSL with TLS happened in 1999/2000 because of some security flaws that were discovered in SSL procedures.

Under TLS, a computer wishing to communicate with a server over the internet first gets that target’s public key. However, it doesn’t request that key from the server directly. Instead, the client queries a database held by a third-party company. This query returns a security certificate, which includes a number of identifying features about that target. It also includes the server’s public key.

The TLS method prevents an interceptor from masquerading as the intended correspondent. If the client sends a message to the server that is encrypted by the public key of that destination, an interceptor cannot decrypt the message and make a meaningful response. This phase is called a “challenge” and blocks a hacker strategy that is called a “man in the middle attack.”

One of the reasons that VPNs commonly use TLS is that the procedures needed to implement it are bundled into the OpenVPN library. OpenVPN includes another library of open source security features, called OpenSSL. Although the name of this package refers to SSL, it actually implements TLS. This use of the term SSL for TLS is very common in internet technology. Most networking specialists know that whenever anyone refers to SSL, they really mean TLS.


The dominant public key encryption cipher is called RSA. This name derives from the initials of its creators: Ron Rivest, Adi Shamir, and Leonard Adleman. This cipher predates SSL, HTTPS, and much of the internet by a long way – it was created in 1977.

The encryption system is based on a private key that consists of two prime numbers. The public key is very long and is related to those prime numbers in the private key. Typical public key lengths for RSA are 1024 bits, 2048 bits, and 4096 bits.

The encryption and decryption processes involve a straightforward calculation. There are no shifting or transposing phases and data is not rearranged into blocks as with the AES system. Despite being a simpler transformation, RSA is not very quick and so would slow down the transmission of data if it was used throughout the session. This, together with its integration into TLS means that RSA is only used for session establishment procedures and not for the encryption of data by VPNs.

A few VPNs use RSA both for authentication and to protect the transmission of AES keys. This category of VPNs includes ZenMate.


This public key cipher was first published in 1976, which makes it slightly older than RSA. It is named after its creators, Whitfield Diffie and Martin Hellman. The procedures of this encryption system are similar to those of RSA.

Under this formula, each side in a connection has a private key and negotiations between the two sides generate a public key and a shared private key, which is known as a “shared secret.”

The Diffie-Hellman system is also built into TLS procedures and is part of the OpenSSL library that is included with OpenVPN, so a lot of VPNs use this system for the distribution of AES keys. HideMyAss uses the standard Diffie-Hellman, whereas the other major VPNs use a variant, called DHE.

Under Diffie-Hellman (DH), the server’s key contribution is written on a certificate and the client’s is generated randomly, this state is called “static-ephemeral” with the server certificate value being static and the random contribution from the client termed “ephemeral.” With DHE, the key-value contributed by the server is also a random number and so this system is termed “ephemeral-ephemeral,” or Diffie-Hellman Ephemeral.

Hashing algorithms

The third encryption method used by VPNs is called hashing. When you look at VPN specifications, you will see the term “SHA” again and again. This is the hashing method that they use. This stands for “Secure Hash Algorithm.”

The purpose of this encryption method is to preserve the integrity of data in transit and to confirm that a message actually came from the supposed source. SHA is categorized as a “hash message authentication code” (HMAC).

SHA is part of TLS procedures and is included in the OpenSSL library used by VPNs. The hashing process doesn’t take place throughout a VPN connection. It is used as part of the certificate retrieval process to ensure that the certificate data has really been sent by the certifying authority and not by an interceptor. The faking of certificate data was the major flaw discovered in SSL that caused authorities to replace it with TLS. If an interceptor can send his own certificate in response to a VPN client’s request, he can reply with his own RSA public key and then specify the encryption key used for the entire session.

You will notice several different versions of SHA. These are called SHA-1, SHA-2, and SHA-3. SHA-1 has been found to have flaws. The problems with this system occur when it is used as part of HTTPS for many transactions during a secure session. The use of this algorithm by VPNs to just secure the delivery of certificate information is less vulnerable because it is a one-time usage and doesn’t give hackers enough time to break the security. However, the major VPNs avoid this system and favor SHA-2 and SHA-3. Of these SHA-2 is the most widely used.

There are different types of SHA-2 that use different block sizes. A set of truncated versions also exists. These different sizes are identified by the name given to the SHA-2 versions, so you won’t see SHA-2 written on the specification for VPNs. Instead, the most common versions that you will see are SHA-256, SHA-384, and SHA-512.

Some examples of VPN SHA-2 usage are the use of SHA-256 by CyberGhost, PrivateVPN, VyprVPN, ZenMate, PureVPN, VPNArea, SaferVPN, and HideMyAss. The SHA-384 version is used by NordVPN and SHA-512 is used by ExpressVPN, IPVanish, Surfshark, StrongVPN, and Windscribe.

Encryption key length

As the RSA encryption process is a single-phase, its key for RSA needs to be a lot longer than that used for a typical AES implementation in order to keep it secure. Compared to the maximum strength 256-bit key for AES, an RSA key of 1024 bits seems excessively long. However, this RSA key length is no longer considered to be secure.

Most VPNs use an RSA key length of 2048 bits. In 2016, ExpressVPN upgraded its RSA encryption to use a 4096-bit key in response to reports that the Chinese authorities could crack the 1024-bit RSA key. CyberGhost followed suit. No reputable VPN now uses a 1024-bit key for RSA.

The different key sizes required by different encryption systems can be confusing. NIST came up with a categorization of ciphers, including their respective “security strengths.” A simplified version of Table 2 in NIST’s Recommendation for Key Management, Part 1 is shown below.

[table id=2 /]

These key length equivalencies should help you see the relative strength of the AES formula.

Although all of the major VPNs offer AES with a 256-bit key, some allow an option of shorter keys and others use shorter keys for their mobile apps and browser extensions. For example, NordVPN uses AES-256 for its Desktop apps, but AES-128 for its browser extension; PrivateVPN allows users to select either a 128-bit key or a 256-bit key for AES before turning the VPN service on.

PrivateVPN dashboard

As you saw in the section on AES above, a longer key involves more rounds of encryption. This extra work uses more processing power on your device, takes longer to execute, and will run down your battery faster on a mobile device. AES has never been cracked, even with the smallest key size of 128 bits. Some cryptanalysts argue that you can’t get more uncrackable than “uncrackable.” Therefore, AES with a 128-bit key is perfectly safe to use.

Block Cipher Modes

As you can see in the image of the PrivateVPN dashboard above, the VPN doesn’t just give you the option of selecting the key length for an AES connection, it has another variable, which is the block cipher mode. The two options shown in the PrivateVPN dashboard are CBC and GCM.

Cipher Block Chaining

CBC stands for Cipher Block Chaining. This methodology strengthens encryption by XORing (exclusive OR) each block with the previous block. This makes the encryption harder to crack, but it also slows down the encoding process because the processing of blocks cannot be performed in parallel. Although there are some vulnerabilities in this method it is the most frequently used system for VPNs, simply because it has been around for a long time.

Galois/Counter Mode

GCM stands for Galois/Counter Mode. This is a more efficient system than CBC and it is newer. This system combines two transformation methodologies. Counter mode is a transformation exercise that uses a pseudorandom number to encrypt each block. The sequence of blocks is marked by a counter which gets included as a variable in the formula, this modifies the effects of the possibility that the pseudo random generator could come up with the same number more than once during block processing. To avoid the dangers of numerical repetition, the counter is initialized at a different number for each session.

The Galois part of the name refers to the Galois field multiplication that is applied to each block. This just means that the field that the arithmetic is applied to contains a finite number of elements. That is, the block has a standard size and is not open-ended.

A big advantage of GCM is that it also includes a hashing algorithm, which is called Galois Message Authentication Code (GMAC). This removes the need for SHA. Another benefit that GMC has over CBC is that the processing of blocks can be performed in parallel, so a message can be encrypted much more quickly.

VPN encryption examples

Although PrivateVPN gives you a choice in the app on what key length and block cipher mode to use, most services just pick one combination and offer that as a standard service. Here are some examples of the strength and mode of encryption that you get with the major VPN providers:

  • ExpressVPN: AES-256-CBC
  • NordVPN: AES-256-CBC (for Windows, macOS, and Android)
  • NordVPN: AES-256-GCM (for macOS and iOS)
  • CyberGhost: AES-256-GCM
  • IPVanish: AES-256-CBC
  • Surfshark: AES-256-GCM
  • VyprVPN: AES-256-CBC

Apart from the type of encryption, the encryption mode, and the length of the key, you need to know about the length of time that a key is active to completely assess the security of a VPN service.

Perfect Forward Secrecy

The standard unauthorized decryption method used by hackers and government snoopers is called a “brute force attack.” This involves trying every possible combination of characters in the key until one works. There are faster systems to crack a cipher, but these usually rely on luck or some knowledge of the key.

An important method that prevents hackers from cracking encryption is to limit the time that the key is valid. Perfect Forward Secrecy is a strategy that limits the length of time that a key is active. Keys are never used for several connections across an organization. Keys are not even retained for reuse for the same devices. Each connection uses a new key. IF you tend to log into a VPN server in one location, and then switch server, you will have one key for the first connection and then another for the next connection.

If you leave your VPN connected all of the time, then you will be using the same key for a long period. However, even long sessions are not nearly long enough for a hacker to crack very tough encryption, such as AES.

Other VPN encryption methods

All of the premium VPNs use OpenVPN for their security strategy. However, there are other VPN protocols around and many VPNs offer these in addition to OpenVPN. Not all of these systems are presented in an app. In most cases, these additional systems are available to be set up manually within your device’s operating system’s settings.

The major alternatives to OpenVPN are:

  • PPTP
  • L2TP/IPsec
  • IKEv2/IPSec
  • SSTP

None of these alternatives to OpenVPN are recommended if you need top-level security and strong privacy. However, there are circumstances where these systems might match your VPN needs.


The Point-to-Point Tunneling Protocol was the original VPN system. It was written by Microsoft and is integrated into all Windows operating systems. It takes almost no work for a VPN service to add on access to this protocol, although most of those companies don’t bother to write access to the operating system implementation into their apps. PPTP uses an encryption method called Microsoft Point-to-Point Encryption (MPPE) which can have a key of 40 bits, 56 bits or 128 bits. The authentication procedures of PPTP uses another Microsoft-developed protocol, called MS CHAP v2, which is the Challenge-Handshake Authentication Protocol.

VyprVPN is one of the few VPN services that enables access to PPTP within its app. The encryption uses a 128-bit key and it is also available for manual set up. ExpressVPN also gives a PPTP option in its Windows app, also with a 128-bit key MPPE encryption. PPTP can also be set up manually with an ExpressVPN subscription. You can also access PPTP from the PrivateVPN app. CyberGhost, IPVanish, and PureVPN make PPTP available for manual set up.

PPTP is not secure. Even its creators, Microsoft recommend that no one uses this system anymore and they created SSTP to replace it.


Like PPTP, the Layer 2 Tunneling Protocol (L2TP) is considered out of date and not really safe enough. Some VPN providers, such as NordVPN and Surfshark refuse to include capabilities for these two VPN protocols in their services. By itself, L2TP doesn’t offer any encryption. This is usually provided by a system called IPsec. Both of these two protocols are built into most operating systems.

A major security weakness of L2TP is the method that it uses for session establishment. This is based on a pre-shared key, which is easy to deduce.

IPSec operates at a lower networking layer than the more commonly encountered VPN protocols. Each packet transmission is regarded as an independent transaction, even though it may be only a part of a stream of packets in a session. This means that each packet has to be authenticated and it carries an authentication header (AH) on the front of an encapsulating security payload (ESP). It is the ESP that contains the original packet that is being transported.

L2TP can be slow, so it does not provide any delivery speed advantages over more secure protocols. Edward Snowden reported that the NSA can crack this VPN system, so it is better to avoid it. ExpressVPN (for Windows, iOS, and Mac), PrivateVPN, IPVanish, CyberGhost (Android and iOS), and VyprVPN make L2TP available in their apps and also for manual setup. You can install L2TP on your device manually if you have a subscription with PureVPN, or IPVanish.


IKEv2 is much more secure than L2TP and most VPN services are happy to provide access to it. The name stands for Internet Key Exchange. IKEv2 relies on IPsec for its security services and so is connectionless, with each packet treated as an individual transaction. Despite having the same underlying security methodology as L2TP, IKEv2 is considered secure and it is a practical alternative to OpenVPN for those accessing a VPN through a mobile device. This protocol requires less processing and it won’t run your battery down as quickly as OpenVPN implementations. Like OpenVPN, IKEv2 uses a system of security certificates for identity validation. It also uses Diffie-Hellman encryption to protect key exchange.

You can access IKEv2 through an app with ExpressVPN for iOS. IPVanish uses IKEv2 as its default protocol in its iOS app and the protocol is also available in its macOS and Windows apps. Surfshark makes IKEv2 available in its apps for Windows, Mac OS, iOS, and Android. NordVPN uses IKEv2 as the default protocol in its iOS and macOS apps and it can be set up manually on Windows and Android. PureVPN gives IKEv2 as a connection option in its Windows and iOS apps and it is available for manual setup on Android, Mac OS, and Blackberry. You can set up an IKEv2 connection manually with VyprVPN and PrivateVPN.


The Secure Socket Tunneling Protocol is a very secure alternative to OpenVPN. It is the successor to PPTP and is also a proprietary system owned by Microsoft. The security for this protocol is provided by TLS, which is also used by OpenVPN for session establishment and is the security system at the heart of HTTPS. The only problem with this VPN protocol is that it is not open source. Microsoft has been caught out providing access to Skype calls and data to the NSA. So, security activists warn against using any encryption system that is controlled by Microsoft.

This VPN protocol can operate on Windows, Linux, and macOS – there isn’t an implementation for mobile devices. PureVPN makes SSTP available in its apps for Windows and Mac OS. StrongVPN offers SSTP in its Windows app.

VPN encryption choices

When you decide to subscribe to a VPN service, your best option is to focus your search on those that offer OpenVPN. This is by far the most secure protocol that you can use. If you access the internet often on mobile devices, look for services that also offer IKEv2 in those mobile apps to avoid running down your battery.

Image: Cryptography Encryption from Pixabay. Public domain.