A virtual private network is a service that lets you connect to servers anywhere in the world, letting you pretend you're somewhere you're not and securing your connection in the process. How does VPN encryption work, though? Here's how it keeps your connection secure.

VPN Protocols

To understand VPN encryption, we first need to go over VPN protocols. These are programs that govern how a VPN talks to other entities on the network, like servers or sites---it uses the term "protocol" in the same meaning as "a set of rules."

There are several protocols you can choose from, including some developed by VPN providers themselves like NordVPN's Nordlynx or ExpressVPN's Lightway. The most reliable ones that aren't tied to a particular VPN are probably the tried-and-true OpenVPN and relative newcomer WireGuard.

The choice of protocol determines a number of things: for example, WireGuard is a lot faster than most other protocols, while OpenVPN is considered among the most secure. This is due to a number of factors, but in this case, it's interesting since protocol also determines what type of encryption you can use on your VPN tunnel.

The Basics of Encryption

When you encrypt information, it is turned into gibberish by using an algorithm that usually scrambles the information more than once. For example, when you were a kid you probably created a secret message by substituting the letters of the alphabet for numbers, so your friend Al's name became 1-12.

An algorithm does this, but takes it a few thousand steps further, substituting letters with symbols which are then substituted again and again and again. The only way to unlock this mess and make it readable again is to use a so-called key.

In this case, a "key" is a piece of data that can unlock encrypted information. It's tempting to think of it as a password, but it's more than that: it's usually a long string of letters, numbers, and symbols that show to the algorithm that you're authorized to decrypt the information.

Symmetric Encryption

With the information itself secure, there is, of course, the question of what you do with the key, as that is any encryption's weakness: if you have the key, you can unlock whatever it is that it is protecting. The most basic way of handling keys is symmetric encryption, also known as shared key encryption. In the case of you and your buddy Al from earlier, you simply told Al how the system worked, meaning you both held the key, obvious as it was.

In more complex systems, symmetric encryption works more or less the same way: the key that's used to encrypt information is held by both parties. In the case of a VPN, your app or client encrypts your data with a key that is also held by the VPN server you connected to, so it can simply decrypt the information as it comes in.

AES and Blowfish

The most common types of symmetric encryption, called ciphers, are Advanced Encryption Standard (AES) and Blowfish. AES was developed by the U.S. government and is the military-grade encryption so many companies like to boast of. Blowfish was developed as an open-source cipher, but there is a lot of discussion on how secure it is.

No matter which one you use, its strength depends a lot on how many bits it has, essentially how long the code snippet is that serves as the key. The longer the better, so AES-256 (so 256 bits) is more secure than AES-128. AES-256 is probably the most common and also secure variant, so we recommend you stick with that in most cases.

Transmitting Keys

Of course, there is an obvious flaw in all the above: if both parties in the exchange both have the unsecured key, a savvy operator could intercept the key somehow and then decrypt the information for themselves. There are several ways to do this, like impersonating an in-between network node or other forms of interception.

To prevent this from happening, you need to somehow encrypt the shared keys being sent. Now, you could do so by using even more shared keys, but that would just add a step for anybody listening in. Much better, instead, to introduce a new kind of cipher, using public key encryption.

"Public key" is a confusing term, because "public" and "secure" are pretty much antonyms. However, the public key is only half of the equation. Where in a shared key system, both sender and receiver have the same keys, in a public key system, only the sender's half is public, while the receiver's is secret and known only to them.

This is actually an ingenious way of fixing the issue: while the actual data is sent with shared keys, which are secret but easy to intercept, you transmit the keys themselves using an open system that is protected on the receiver's end. This way, data can be transmitted more or less freely but safe from interference or snooping.

Transport Layer Security

The way public key distribution and checking works is through certification, basically having a third party ascertain for you that the key being sent is bonafide. The most common way to do this is using the Transport Security Layer protocol, a way in which computers talk to each other securely on the web.

TLS is used in all kinds of applications: often when you sign into a website or other service, your password is double-checked through TLS. TLS itself also uses encryption to secure information, often using a simpler encryption cipher called RSA.

RSA chains are a lot longer (usually in the 1024-bit range or even longer) than those used by AES or Blowfish, but since it doesn't scramble information many times over, it's not considered as secure. As such, it's better used for sending keys over the web as it decrypts quicker since it's simpler, but it's probably best not used for the actual VPN traffic.

Making a Hash of It

On top of RSA, TLS has one more trick up its sleeve, namely hashing. In this case, hashing is an extra form of checking that a retrieval request for a shared key is legitimate. It works as a failsafe in case an attacker figures out how to fake a certificate.

There are several types of hashing algorithms: the most commonly used is SHA, more specifically SHA-2. However, there are several subtypes of this cipher, so you'll often come across nomenclature like SHA-256 or SHA-512.

Since the hashing step is a form of double-checking if everything is okay before moving to decryption, not every VPN will use it. However, most protocols do allow for it, and many providers will tell you proudly that they use it.

Layers Upon Layers

The end result is a soup of hashes, algorithms, and keys that probably make the mind boggle, but the upshot is that a good VPN will protect yourself a few times over: first, the actual connection is encrypted with AES or Blowfish, and then the keys that unlock this encryption are protected again, often more than once.

All the best VPNs out there follow this blueprint, and we recommend you double-check that the VPN of your choice does so, too. Often enough, VPNs will offer this information in their promotional materials so you can see for yourself how it works.