VPNs are an essential tool in your arsenal if you’re looking to stay one step ahead of online surveillance, whether it’s from hackers, advertising agencies, or even just your ISP. The technical details behind how VPNs work aren’t immensely complex, but the marketing-speak providers use can sometimes become a bit over the top.
“Military-grade encryption” is one of the most common terms you’ll come across when reading about the best VPNs. It refers to encryption that meets the standards used by military and government agencies to secure sensitive information, and most of the time, the claim is correct.
However, we’re going to dig a little deeper into why it’s a misleading term, even if it’s technically true.
What do VPNs mean when they say "military-grade encryption"?
When VPN providers claim that a VPN uses “military-grade encryption”, it’s usually a euphemism for AES-256.
That’s the Advanced Encryption Standard using a 256-bit key. We’ll get into the technical details in a sec, but it’s the encryption algorithm used to protect classified US government information. It’s been the accepted federal standard since 2001, when the National Institute of Standards and Technology announced that they were phasing out the Data Encryption Standard in favor of AES.
So, what is AES? Simply put, it’s an encryption scheme that transforms your data using a key phrase into a random string of characters.
Secure services
Wondering which VPNs pack the biggest punch in terms of privacy? Check out our shortlist of the best secure VPNs.
It’s a “symmetric” encryption scheme, so the same key used to encrypt your data can also be used to decrypt it. 256 refers to the bit length of the key used to encrypt and decrypt the data. Larger keys make a brute force attack more difficult, so although 128-bit and 192-bit variants of AES also exist, AES-256 is the variant that’s considered “military grade” because it uses the biggest key length.
When a VPN encrypts your data, AES-256 is the encryption protocol (usually) used to send internet traffic back and forth to the VPN server. It’s computationally cheap to use compared to asymmetric encryption schemes (which use a separate encryption and decryption key), but there’s an issue with sending the symmetric key used to power AES-256 over an unencrypted connection.
An attacker could be listening in and snoop on the key as it’s being sent to start the encrypted connection, which is why AES is used in conjunction with asymmetric encryption like RSA.
RSA can be used to send encrypted information between two parties who have never met before without a third party being able to read the traffic, but it’s far more taxing on a computer’s processor than a symmetric algorithm.
So, to establish an AES encryption stream, the symmetric key is sent over using an asymmetric encryption protocol. Then, once the device on the other end also has the symmetric key, you can both communicate with each other using that military-grade encryption” your VPN provider is so keen on highlighting.
Is military-grade encryption real?
To be blunt, “military-grade” is a buzzword. That’s not to say that AES-256 is insecure. It’s a rigorously vetted encryption algorithm legitimately used by military and government agencies to protect classified data.
It’s also used by banks, corporations, and just about any entity you can think of that handles private information on the internet.
What’s misleading here is that “military-grade” conjures up the image of secret or exclusive technology that’s reserved for government use. It’s not. It’s a publicly documented standard that anyone can get their hands on.
Any developer with even a surface-level knowledge of cryptography can implement AES-256 in their software, and that’s the point of the standard. You’re already using it because it’s built into your browser, and there are doubtless tons of other apps on your device that use it too.
So yes, technically, the encryption protecting your online banking login is the same class of algorithm that’s protecting classified communications at the Pentagon.
With that said, there’s a reason “military-grade” crops up in pretty much every VPN provider’s marketing fluff. If you’re not already familiar with the ins and outs of encryption protocols, being told that your connection is being protected with AES using a 256-bit key is probably meaningless to you.
Instead, being told your encryption uses “military grade” technology immediately conjures up the idea that it’s strong, proven, and trustworthy. All of these things are true and can immediately be understood, even if you don’t have the technical frame of reference to know why.
Do most VPN users need military-grade encryption?
If there’s anything counterproductive about the term “military-grade”, it’s that it implies a level of technology that the average person doesn’t need access to. That’s absolutely not the case. Your privacy is important, and using strong encryption to preserve it isn’t exclusive to super-spies and government bureaucrats.
When you use the internet, you generate a data trail across the sites and apps you use. This data is stored and sold to the highest bidder so they can build ad profiles on you, which are used to target you for advertising. As if that wasn’t bad enough, data breaches can put this data into the hands of hackers with far more nefarious goals.
You might think you have nothing to hide, but that’s not the point. Your sensitive data can be used to conduct phishing attacks against you or identity fraud by stitching together data points taken from the internet.
Think about your financial details, your health data, or your location history. Would you broadcast where you are every second of the day to total strangers or invite people off the street to look at your bank account?
You might think you have nothing to hide, but that’s not the point. Your sensitive data can be used to conduct phishing attacks against you or identity fraud.
The stakes are even higher if you’re a journalist or an activist, especially if you’re living in a jurisdiction where information freedom is suppressed by the current regime. In that case, strong encryption is essential.
Using a VPN that implements “military-grade” encryption is just the start. You’ll also need obfuscation to disguise the fact you’re using a VPN at all. Chaining multiple VPN servers together using multi-hop is also a good idea, too, just so you’ve got that extra layer of protection in case your endpoint server is compromised.
Even if you’re not watching over your shoulder for government censors, using strong encryption is also pretty important if you’re using public Wi-Fi. While the chances of running into a hacker sitting on your local network at a coffee shop are much lower than some VPN providers would have you believe, it’s still important to make sure you’re protected on the off chance that it happens.
Put simply, if you’re not using a VPN with strong encryption, you may as well not be using a VPN at all. AES-256 isn’t the only trustworthy encryption scheme out there, but it’s one of the most widely used.
If you’re using a VPN that offers WireGuard as a VPN protocol alongside OpenVPN (which usually uses AES-256), you’ll see that you’re protected by ChaCha20 instead. While it’s not a NIST standard, ChaCha20 has been thoroughly audited and is widely considered to be secure.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
English (US) ·