AVG Signal Blog Privacy VPN What Is Data Encryption and How Does it Work?

Written by Ivan Belcic
Published on June 10, 2020

What is data encryption?

Data encryption is a system that encodes your data so other people can’t read it. Consider this:

Xibu jt ebub fodszqujpo? No, that’s not a massive typo — that’s the phrase “What is data encryption?” encrypted with a simple Caesar cipher, or shift cipher. Each letter is replaced by the letter that follows it in the alphabet, so when you see the encrypted phrase, it’s just gibberish. You can’t decrypt it if you don’t know the encryption system.

This article contains :

    Data encryption works along the same lines, but with far more complex encryption systems. These transform regular data, stored as plaintext, into what’s known as “ciphertext” — a seemingly nonsensical string of letters, numbers, and symbols. You can only unscramble the data, or decrypt it, with a specific decryption key.

    Why use data encryption?

    Data encryption is all about protecting your personal information from anyone who’d like to get their hands on it. This idea stems from humanity’s long history of encoded communications, the use and study of which is known as cryptography. Some of these encryption systems, such as the writing used in the Renaissance-era Voynich manuscript, still remain uncracked, even with the aid of modern computing.

    So why is data encryption important? In short, using encryption protects your personal data. You can use data encryption to safeguard yourself against a multitude of online threats, including identity theft, hacking, and fraud.

    Many businesses also use encryption algorithms in network security to defend against spyware and other malware. Anyone who manages to obtain encrypted data won’t be able to read it — preventing hackers from gaining access to business secrets. That means data encryption also protects against certain strains of ransomware that hijack data and threaten to publish it unless a ransom is paid.

    How can encryption be used to protect information?

    Did you know that you’re benefiting from data encryption nearly every time you use the internet? Here are a few uses of encryption that you may encounter in your daily online life:

    Icon_01HTTPS encryption

    Many modern websites feature HTTPS encryption — you’ll know because the URL begins with https, or because your browser shows you a little padlock icon in the address bar. Check your address bar now, and you’ll see these indicators here on our site. AVG Signal’s looking out for you.

    HTTPS encryption protects your internet traffic while it travels between your device and the website you’re using, preventing anyone from either listening in or altering the data while it’s in transit. You should never divulge any sensitive personal data, such as credit card numbers, while on an unsecured website with plain old HTTP. If you don’t know how secure a certain site is, it’s always best to do a quick website safety check before entering any personal information.

    Icon_02Email encryption

    Gmail and Outlook — two of the most widely used email platforms — encrypt all emails by default. The encryption they provide should be sufficient for the average email user, but there are more secure options available. Both Gmail and Outlook offer upgraded encryption with premium accounts, and ProtonMail is a securely encrypted email service that anyone can use. Beyond encryption, there are more ways to secure your email account.

    Icon_03Secure messaging apps

    Many messaging apps also protect users with data encryption. Signal and Wickr are two popular options providing end-to-end encryption: the data is encrypted all the way from the sender to the receiver.


    If you’ve dabbled at all in cryptocurrencies such as Bitcoin (BTC) or Ethereum (ETH), you’ve also enjoyed the protections of data encryption — though if you’re savvy enough to be using these, you probably already knew that. Cryptocurrencies protect their users by encrypting transactions and storing them in a shared historical record known as the “blockchain.” Once a transaction joins the blockchain, it can’t be reversed or forged.


    VPNs are a popular solution for data encryption — you can even download a VPN on your mobile phone for encryption on the go. If you’re on an unsecured public Wi-Fi network, a VPN is an ideal solution for keeping your data safe. We’ll explore VPNs in more detail later in this piece, but for now, think of them as on-demand data encryption that’s both convenient and secure.

    How does data encryption work?

    Data encryption revolves around two essential elements: the algorithm and the key.

    • The algorithm is the set of rules that determine how the encryption works. The Caesar cipher algorithm we used earlier in this article substitutes each letter with another letter that sits a fixed distance away from it in the alphabet.

    • The key determines the encryption implementation. Keys are randomly generated and combined with the algorithm to encrypt and decrypt data. In our Caesar cipher, we used a key of +1. A is replaced by B, B is replaced by C, and so on. In data encryption, keys are defined by their length in bits.

    The algorithm and the keys it generates both contribute to the overall security of the encryption method. Key length is one factor in encryption security, but it’s not an exclusive determinant — the mathematical systems behind the algorithm also influence encryption security as well. Some algorithms with shorter keys may have equivalent or greater security when compared to other algorithms with longer keys.

    Cryptographic keys

    Modern cryptography algorithms generate new data encryption keys for each use, so that two users of the same algorithm can’t decrypt each other’s communications. Symmetric-key algorithms use the same key for encrypting and decrypting, while public-key algorithms (also known as asymmetric-key algorithms) have separate keys for each process:

    • In a symmetric-key algorithm, the encrypting and decrypting parties all share the same key. Everyone who needs to receive the encrypted data will have the same key as everyone else. It’s a simpler system but with greater risk, as it takes just one leak to expose the data being transmitted by all involved parties.

    Symmetric algorithms share the same key between encryption and decryption.Symmetric algorithms share the same key between encryption and decryption.

    • Symmetric encryption uses either stream ciphers or block ciphers to encrypt plaintext data.

      • Stream ciphers encrypt data on a per-byte basis. Each byte is encrypted individually. It’s a complex system that uses a different key for each byte, but reversal is relatively easy.

      • Block ciphers encrypt data in blocks of 64 bits (8 bytes) or larger. Reversing block cipher encryption is much harder than with stream cipher encryption.

    • Our Caesar cipher example is a symmetric-key algorithm, since you can encrypt and decrypt a message using the same key: the amount of letters in the shift from plaintext to ciphertext and back.

    • A public-key algorithm is more secure than its symmetric-key counterpart. The public key is widely available for anyone to use in sending communications, but there’s a second key — the private key — that’s needed to decrypt the message. The algorithm creates both keys at once, and only these two exact keys can work together.

    The_Ultimate_Guide_to_Data_Encryption-02Public-key or asymmetric algorithms use different keys for encryption and decryption.

    • So how does data encryption protect data? Without the decryption key, you can’t unscramble the data — unless you’re willing to invest a lot of time and effort into other means of breaking the encryption. We’ll dive into what those measures look like towards the end of this piece.

    What about hashing?

    Hashing is a process that uses an algorithm to convert plaintext into numerical values. Any website worth using will hash user credentials to protect them in the event of a data breach. If you encounter a website that still stores passwords as plaintext, run away and never look back.

    Common encryption algorithms

    There’s not just one data encryption algorithm out there. Here, we look at several of the most common encryption algorithms and quickly break down how they work.

    Advanced Encryption Standard (AES)

    AES is a secure symmetric algorithm that’s easy to use, making it ideal for situations in which secrecy is important. Users can set the key length to 128, 192, or 246 bits, and AES supports block lengths of 128 bits for block cipher encryption.

    Rivest–Shamir–Adleman (RSA)

    Names for its three creators, RSA is one of the earliest public-key algorithms and still sees widespread use. RSA uses large prime numbers to create its keys, and compared to other systems, it’s rather slow. For this reason, RSA is most often used to share a symmetric key, which is used in turn to encrypt the actual data that needs protecting.

    Triple DES

    Triple DES (or TDES/3DES) is a symmetrical block-cipher algorithm that encrypts each block three times over using a 56-bit data encryption standard (DES) key. But what is the data encryption standard in the first place?

    DES is a pioneering encryption algorithm developed in the 1970s that was used as the US federal standard until being replaced in 2002 by AES. At the time, DES was strong enough to defend against contemporary threats. Even with its three layers of encryption, TDES is no longer considered reliably secure by modem standards.

    Perfect forward secrecy (PFS)

    PFS isn’t an algorithm, but a property that an encryption protocol can have. An encryption protocol is a system that defines how, when, and where an algorithm should be used in order to achieve encryption. When a protocol has PFS, it means that if the private key in a public-key algorithm becomes compromised, prior instances of encryption will still be protected. This is because PFS protocols create new keys for every encryption session.

    Because of the way PFS protects prior sessions from future attacks, it is a critical feature for the security of any encryption system. You’ll also see PFS referred to simply as “forward secrecy” or FS.

    Data at rest vs. data in transit

    The majority of the encryption conversation focuses on data in motion encryption, or how to protect data in transit — in other words, data that’s on its way from one place to another. When you encrypt your web traffic with a VPN, that’s data in transit encryption in action.

    But not all data is constantly in motion. Data that’s stored in one place is called “data at rest.” There’s plenty of data on your computer that isn’t going anywhere, but may be even more sensitive than anything you’d be communicating to other parties.

    It’s just as important to practice data at rest encryption as well, in case your device gets hacked or stolen. You can easily protect your local data by encrypting or password-protecting files and folders on your computer or external storage device.

    We’ll show you some encryption best practices for data at rest in the following sections, “How to encrypt your PC” and “Mobile data encryption.”

    Transparent data encryption (TDE)

    Introduced by Microsoft in 2008, transparent data encryption (TDE) protects databases by encrypting the files on the servers as well as any backups. Microsoft, IBM and Oracle use TDE to provide enterprises with SQL server database encryption.

    The encrypted files are automatically decrypted by any authorized applications or users when accessing the database. This is why it’s “transparent” — if you’re already allowed to access the data, you don’t need to do anything extra to see it. Think of TDE like an employee ID badge that grants entrance to a secure facility. If you have a badge, you can waltz right on in.

    As an additional security measure, TDE stores the encryption keys separately from the encrypted data files. This way, if the physical storage media or files are stolen, they’ll still be protected against unauthorized access. You can’t open the data files without the correct key.

    How to encrypt your PC

    Ready to protect the data on your PC against snoops and hackers? We’ll take you through three types of data encryption that you can use to protect your PC.

    File encryption

    If you only need to protect a few sensitive items, consider file encryption. This method encrypts individual files, so it’s best for cases where you don’t have too much encrypting to do. For example, if you’ve created a document that contains your backup codes for a certain website or application, file encryption is a great way to safeguard that information.

    But what is file encryption, anyways? Simply put, it’s the act of scrambling a file so that it can’t be unscrambled without the correct decryption key. It’s the same thing as data encryption, just on a per-file basis. Here’s how to use encryption on your device with AVG Internet Security:

    AVG Internet Security’s Sensitive Data Shield scans your entire computer for files that you might want to secure, then protects these items from unauthorized access. It’s a good option for anyone using Windows 10 Home, since Microsoft hasn’t included any built-in tools there for file encryption. You’ll need to rely on third-party solutions if that’s your situation.

    Mac users are in more luck. Apple allows for file encryption within macOS by using the Disk Utility tool. You can encrypt folders by navigating to File > New Image > Image from Folder. Choose the folder to encrypt, select your encryption method, and hit Save.Encrypting a folder with Disk Utility in macOS Catalina

    Full-disk encryption (FDE)

    Rather than go from file to file, you can cut to the chase and encrypt your entire computer with FDE or whole-disk encryption. You can even combine both together for added security — even if someone gets through your FDE, they still won’t be able to access your encrypted files.

    Windows 10 Home allows for FDE, though not all PCs accommodate this feature. Open your Settings, click Update & Security, and if your device supports FDE, you’ll see Device encryption at the bottom of the left-side menu. Click it, and you can begin encrypting your PC. You’ll need to sign in with your Microsoft account in order to enable FDE, as Windows will save your recovery key on Microsoft’s cloud.

    Activating full-disk encryption in the Settings of Windows 10

    Users of Windows Professional, Enterprise, and Education can use the BitLocker tool for more secure encryption, and you’ll find it in the same place. But either way, that’s how to encrypt your PC!

    Mac users can also enable FDE on their machines with the FileVault tool. Open your System Preferences, then select Security & Privacy. From there, head to the FileVault tab and turn it on. It’ll take some time for FileVault to complete the encryption, but it’ll look like this when you’re done:Encrypting the hard disk with FileVault in macOS Catalina

    Network layer encryption

    This final method protects data in transit, but not locally on your device. If you need to encrypt all the traffic coming to and from your PC, network layer encryption will help. It’s one reason that many people choose to protect their privacy with VPNs. HTTPS provides another type of network layer encryption.

    With network layer encryption, you can send data securely across unsecured networks. But it’s just as important to ensure that the data is equally protected at its source and at its destination. If you haven’t encrypted your PC with one of the two above methods, any data you receive over an encrypted connection won’t be protected once it’s downloaded locally to your machine.

    AVG Secure VPN encrypts all the internet traffic on your device. With a VPN, all your online activities are covered — everything you’re doing in your web browser, but also your emails, games, anything you download, and any other apps you use.

    Mobile data encryption

    You’re probably already protecting your Android or iPhone with a PIN, passcode, pattern lock, or fingerprint/face lock — and that’s great. Security measures like these are essential in the fight against unauthorized access. But there’s another way you can safeguard the data on your mobile device: encryption.

    iCloud and Google Cloud both encrypt your data automatically, so you won’t need to handle the cloud data encryption yourself if you’re using these services. And just as you can configure FDE on your PC, you can also encrypt your phone. Should you lose your device, your encrypted data will be safe. Both Android and iOS devices allow you to encrypt your device by default. Here’s how:

    iPad & iPhone data encryption

    As soon as you set up a passcode on your iOS device, your data is automatically encrypted. If you don’t have a passcode yet, perform the following procedure:

    1. Open your Settings and tap Passcode. Newer iPhones may instead say Touch ID & Passcode or Face ID & Passcode.

      Opening the Touch ID & Passcode settings in iOS 13.3.1 on an iPhone 6S

    2. Once here, follow the prompts to set up a passcode and any other security measures you’d like to include. After you’re done, your iOS device will be encrypted.

    Android data encryption

    The procedure for encrypting your Android device may vary depending on its manufacturer and Android version. Here’s how the process looks in Android 10 on a Google Pixel 2:

    1. Open your Settings, then tap Security.

      Opening the Security settings in Android 10 on a Google Pixel 2

    2. Scroll down and tap Encryption & credentials.

      Opening the Encryption & credentials settings from the Security settings of Android 10 on a Google Pixel 2

    3. Follow the prompts here to encrypt your device. When you’re done, confirm your phone’s Encrypted status.

      The Encryption & credentials settings in Android 10 on a Google Pixel 2

    Wireless encryption types

    Outside of the free public Wi-Fi you’ll get at your favorite cafe, most wireless connections feature encryption as well. Your home router is likely providing Wi-Fi data encryption, as is the network at your office or school. Anytime you need a password to log into a wireless network, you’re enjoying the benefits of internet encryption.

    Without encryption, other people on the same network might be able to eavesdrop on your connection and “sniff” your traffic. This is one of the chief dangers of using unsecured public Wi-Fi, and it’s why you should always encrypt your wireless connection with a VPN whenever you’re on a public network.

    Here, we explore the most common options for Wi-Fi data encryption on your home network. Not all devices support each type, so check to see what’s possible with your router.

    Wired Equivalent Privacy (WEP)

    WEP is an early form of wireless encryption that emerged in the late 1990s. It offers 64-bit or 128-bit encryption and is widely supported on most devices. It’s easy to configure, but comparatively weak next to newer forms of encryption. Still, if WEP is your only option, it’s better than no encryption at all.

    Wi-Fi Protected Access (WPA, WPA2, & WPA3)

    Created by the Wi-Fi Alliance to address WEP’s weaknesses, WPA is the current standard in Wi-Fi encryption. Now on its third incarnation, WPA offers an easy setup process with greater encryption as compared to WEP. The only downside is that it’s not a universal option on all devices.

    WPA3 was introduced in 2018, so if you’re using an older WPA-enabled device, you’ll likely see WPA or WPA2 as your options. All three will provide stronger protection than WEP.

    Wi-Fi Protected Setup (WPS)

    WPS was introduced to streamline the process of adding new devices to a WPA2 network. Your router might have a WPS button that you can press while adding a new device, or it’ll allow you to enter a PIN instead of your Wi-Fi password. While convenient, both of these options are less secure than your password.

    It’s much easier for a hacker to brute-force your WPS PIN than it is for them to crack your password. Push-button WPS is a little more secure, though it does allow for anyone with physical access to your router to connect to it. Either way, you’re safer when you disable WPS on your router and use your WPA2 password instead.

    By the way, if you’re still using the default password on your router, you should set up a strong, unique password right away.

    End-to-end vs. VPN encryption

    Most consumer-tier encryption for data in transit comes in two varieties: end-to-end encryption, or what you’ll get with a VPN. Let’s take a look at what separates them along with where you can expect to see each type.

    What is end-to-end encryption?

    End-to-end encryption is a data encryption technique that provides data protection from the point of origin all the way to the final destination. The data is encrypted by the sender and decrypted by the receiver, and at no point during its journey does any other party decrypt it. End-to-end encryption works by ensuring that no third parties have access to the data at any time.

    End-to-encryption is becoming increasingly popular with many messaging services, including the privacy-focused Signal and Wickr as well as iMessage and WhatsApp. Facebook Messenger end-to-end encryption kicks in when you elect to initiate a Secret Conversation with someone else. It’s ideal for private conversations, since no one else can see what’s being said — not even the service provider.

    Governments are increasingly turning towards SMS and messaging apps as a means to augment their surveillance capabilities. The NSA has been caught mass-harvesting text messages, and cybersecurity researchers have suggested that the Chinese government routinely accesses WeChat messages sent on Tencent’s mega-popular messaging app. End-to-end encryption offers a way to avoid government spying.

    If you’re looking for Gmail end-to-end encryption, you’re out of luck, unless you’d like to consider third-party options like FlowCrypt. Though Google’s been talking about it for years, they’ve still yet to implement comprehensive end-to-end encryption on their popular email platform.

    How VPN encryption works

    Your other option for reliable internet encryption is to use a VPN. It won’t give you end-to-end encryption, but what a VPN will do is encrypt all the traffic flowing to and from your device.

    You’ll often see VPNs described as “a tunnel through the internet,” and that’s a good way to sum up how they work. When you connect to a VPN, you’re establishing an encrypted connection between your device and a VPN server.

    VPNs utilize a process known as “encapsulation” to create this connection. Data travels through the internet in little clumps, called “packets.” Encapsulation places your data packets inside other data packets to protect them from outside interference. This encapsulated data is then encrypted so that it can’t be accessed until it reaches the VPN server. When it gets there, the VPN server decrypts it and sends it wherever it’s meant to go — to a website, to an app’s server, and so on.

    Because the encryption lasts only from your device to the VPN server and back, VPNs do not provide end-to-end encryption. If you want to protect your data through its entire journey, make sure you’re only accessing HTTPS websites. The HTTPS encryption will protect your data after it leaves the VPN server.

    AVG Secure VPN protects your data with bank-grade encryption, insulating you against eavesdroppers and hackers.

    Different types of VPN encryption

    There’s a range of different protocols that VPNs can use to create your encrypted connection. Which is the fastest? Which is the easiest to use? Which is the most secure VPN protocol? Let’s take a look at the different types of VPNs with a detailed breakdown of several common VPN encryption protocols:

    What is PPTP?

    Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN protocols still in use today. As it’s been around since the days of Windows 95, it’s obsolete by contemporary security standards. Don’t use PPTP for anything other than hiding your IP address or changing your location on the internet.


    • Fast

    • Easy to set up and use

    • Supported on most devices and platforms, especially older ones


    • Insecure compared to newer options

    • Doesn’t support PFS

    • Easy to block with a firewall

    What is SSTP?

    Secure Socket Tunneling Protocol (SSTP) emerged with Windows Vista and is a protocol wholly created and owned by Microsoft. It connects via the same SSL/TLS channel as does HTTPS, which makes it very secure.


    • Uses TCP port 443, so it’s difficult to block

    • Strong security: 256-bit AES encryption

    • Easy to configure and use with Windows


    • Closed-source and owned by Microsoft, so it can’t be vetted for vulnerabilities

    • Not available on all platforms

    • Prone to connectivity issues if bandwidth is low

    What is L2TP/IPSec?

    L2TP/IPSec is a two-part tunneling method. Layer Two Tunneling Protocol (L2TP) is a progression from PPTP that creates a double-encapsulated connection, and Internet Protocol Security (IPSec) provides encryption. But is L2TP/IPSec secure? You’ll certainly enjoy more protections than with PPTP, but compared to OpenVPN, L2TP/IPSec security isn’t the strongest.


    • Decently secure

    • Easy to configure and use

    • Supported on most platforms


    • Allegedly compromised by the NSA

    • Double encapsulation can hinder speed

    • Can easily be blocked

    What is OpenVPN?

    OpenVPN is an open-source protocol and currently one of the most popular options available. It’s a flexible protocol that provides stability, speed, and security with SSL and TLS channels along with support for numerous VPN encryption algorithms. But as a result, it can be difficult to configure if you’re going for a manual setup.


    • Open-source, so it can be independently tested

    • Fast, secure, stable, and flexible

    • Supports both UDP and TCP, so it’s difficult to block

    • Supports PFS


    • Often requires additional software

    • Difficult to configure

    • Higher overhead (the portion of bandwidth used by the VPN protocol)

    What is IKEv2?

    The Internet Key Exchange version 2 (IKEv2) comes from Microsoft and Cisco and is based on IPSec — which is why you’ll often see it referred to as IKEv2/IPSec. It’s intended for use on mobile devices and allows users to maintain their VPN connection while switching from mobile data to Wi-Fi or vice-versa.


    • Highly resilient connection

    • Ideal for mobile users

    • Very fast with low latency

    • Supports PFS


    • May suffer from the same IPSec vulnerabilities as L2TP/IPSec

    • Limited platform support

    • Susceptible to blocking by firewalls

    Can encrypted data be hacked?

    The short answer is that yes, it can. The security issue boils down to how feasibly the algorithm can be cracked — how much time, how much computing power is needed, and how much all of that would cost. In theory, there’s no such thing as uncrackable, but in practice, it’s possible to get pretty close.

    For example, it might take a hacker multiple years in order to break through a single instance of 256-bit AES encryption. In the vast majority of cases, the extraordinary effort simply isn’t worth it. Deterrence is a major factor in strengthening data encryption.

    That’s why it’s so important to avoid weak cryptographic algorithms when considering data encryption. Stay away from MD5, SHA1, and any others that are obsolete by today’s standards. The National Institute of Standards and Technology (NIST) routinely deprecates any algorithms that fail to provide acceptable security. In this sense, deprecation means that there is some risk involved when using these algorithms.

    Why use encryption software?

    Protecting your data with professional encryption software means that you’re removing the guesswork from the equation. Rather than navigating the complexities of manual configuration, you’re instead securing your data with strong and reliable encryption that’s been expertly implemented.

    The best data encryption software is one that uses top-rated encryption algorithms and is built by a well regarded and trustworthy provider. Look for a security partner who is transparent about their product and has a readily available support team standing by. Do your homework and read user reviews to inform your decisions. Many products offer free trials, which can give you an idea of what the user experience is like.

    Encrypt your data securely and easily with a VPN

    When you’re online, a VPN is one of the best and easiest ways to protect your data. AVG Secure VPN lets you browse privately and securely anywhere you go with 256-bit AES encryption — which is especially important if you use unsecured public Wi-Fi. Stay anonymous online, hide your IP address, and let our military-grade encryption keep your data safe from prying eyes.

    Connect privately on your Android with AVG Secure VPN

    Free trial

    Connect privately on your iPhone with AVG Secure VPN

    Free trial
    Ivan Belcic