Skip to content
Technology

What is AES-256 encryption, and why do VPNs use it?

AES-256 is the encryption standard that governments, banks and VPNs rely on to keep data secret. Here's what the numbers mean, why it's called 'military-grade', and how Veilock puts it to work.

By Veilock Team · Updated May 11, 2026

Quick answer

AES-256 is the Advanced Encryption Standard using a 256-bit key. It's a symmetric cipher chosen by the U.S. government (NIST) in 2001 and is trusted to protect classified information. A 256-bit key has 2^256 possible combinations — far more than the atoms in the observable universe — which makes brute-forcing it infeasible with any current or foreseeable computer. VPNs like Veilock use AES-256 in GCM mode, which encrypts your traffic and verifies it hasn't been tampered with in a single pass.

When a VPN promises “military-grade encryption,” the cipher it almost always means is AES-256. It’s the workhorse that keeps your traffic private as it crosses the open internet — the same standard used by banks, governments and messaging apps. But what do the numbers actually mean, and is the hype justified? Here’s the plain-English version.

What AES-256 actually is

AES stands for the Advanced Encryption Standard. It’s a symmetric cipher, which means the same secret key is used to both scramble (encrypt) and unscramble (decrypt) your data. The “256” refers to the length of that key: 256 bits.

AES was selected by the U.S. National Institute of Standards and Technology (NIST) in 2001 after a years-long public competition, and published as FIPS 197. It replaced the aging DES standard and quickly became the default cipher for securing everything from Wi-Fi to hard drives to VPN tunnels.

Technically, AES is a block cipher: it encrypts data in fixed 128-bit chunks, running each block through multiple rounds of substitution and shuffling. With a 256-bit key, it performs 14 rounds — each one thoroughly mixing the data so the output looks like random noise to anyone without the key.

Why the key length matters

The strength of AES comes down to how hard the key is to guess. A 256-bit key has 2^256 possible values. That number is almost impossible to picture, so here’s an analogy.

Imagine you had to find one specific grain of sand — but instead of searching a beach, you had to search a volume larger than the entire observable universe, packed solid with sand. Even that vastly understates it. There are roughly 2^256 combinations to try, which is more than the estimated number of atoms in the observable universe. No supercomputer, no cluster, and no realistic amount of time can brute-force that.

This is why security experts say attackers never bother attacking the AES math directly. They go after the weak links instead: a poorly chosen password, a bug in the software, or a device that’s already compromised. The cipher itself holds.

Why “military-grade” is accurate (for once)

Marketing loves the phrase “military-grade,” and it’s usually just noise. With AES-256, though, it’s literally true: the U.S. government approved AES for protecting classified information, including data classified up to TOP SECRET, when implemented correctly. The same cipher secures online banking, encrypted messengers and password managers.

So while “military-grade” is a marketing term, the underlying claim holds up. You’re using the exact cipher trusted by the people with the strongest incentives to keep secrets.

GCM: encryption and a tamper-proof seal

Veilock doesn’t just use AES-256 — it uses AES-256-GCM. The “GCM” part matters.

Older modes of AES (like CBC) only handle confidentiality: they scramble your data so it can’t be read, but they don’t tell you whether someone quietly altered it in transit. To catch tampering, you’d need to bolt on a separate integrity check.

GCM (Galois/Counter Mode) does both jobs at once. It’s an authenticated encryption mode, defined in NIST SP 800-38D, that encrypts your data and generates a cryptographic tag proving it wasn’t modified. Think of it as sealing a letter in an envelope and adding a wax seal that shatters if anyone opens it. If a single bit is flipped along the way, the receiving end rejects the packet.

GCM is also fast. Modern processors include dedicated AES-NI instructions that handle the heavy lifting in hardware, so encryption adds very little overhead. That’s why you can run AES-256-GCM on a laptop or phone and barely notice it.

How Veilock uses AES-256-GCM

Inside a VPN, encryption is only half the picture — you also need a secure way to agree on the key in the first place. Veilock handles this in two stages:

  1. The handshake. When you connect, your device and the Veilock server perform a key exchange, authenticating each other and generating a fresh, random AES key for the session. Because the key is negotiated per session and never reused, capturing one session tells an attacker nothing about the next.
  2. The transport. Once the key is set, every packet you send is wrapped in AES-256-GCM. Your ISP, the coffee-shop Wi-Fi, or anyone snooping the network sees only unreadable, tamper-evident ciphertext.

Different protocols pair with different ciphers — OpenVPN typically uses AES-256-GCM, while WireGuard uses the equally strong ChaCha20. Both are excellent; the choice mostly comes down to the protocol you’re running. Our VPN protocols explainer covers how they fit together.

Strong encryption also only counts if the provider isn’t undermining it elsewhere. A cipher can’t protect you if the VPN logs your activity, so Veilock pairs AES-256-GCM with a strict no-logs policy and leak-proof DNS-over-HTTPS resolution.

AES-256 vs ChaCha20: a quick note

You’ll sometimes see WireGuard-based connections use ChaCha20 instead of AES. This isn’t a downgrade. ChaCha20 is a modern stream cipher that’s just as secure as AES-256 and can actually be faster on devices without AES hardware acceleration (older phones, some routers). The rule of thumb: if your hardware has AES-NI, AES-256-GCM flies; if it doesn’t, ChaCha20 keeps things quick. Either way, your data is protected to the same standard.

The bottom line

AES-256 earns its reputation. A 256-bit key is beyond the reach of brute force, the cipher has survived decades of public scrutiny with no practical break, and in GCM mode it protects both the secrecy and the integrity of your traffic. When Veilock encrypts your connection with AES-256-GCM, it’s using the same proven standard that guards classified data and global banking — the difference between your traffic being private and being an open book. Pair it with a real no-logs policy, and encryption stops being a buzzword and starts being protection you can rely on.

AES-256-GCM vs older encryption approaches

FeatureAES-256-GCMAES-256-CBCNo encryption
Key length256-bit256-bitNone
ConfidentialityStrongStrongNone
Built-in tamper detectionYes (authenticated)No (needs separate MAC)No
Speed on modern hardwareVery fast (AES-NI)FastN/A
Used by VeilockYesLegacy onlyNever

Related reading

Frequently asked questions

Is AES-256 really unbreakable?

No cipher is provably unbreakable forever, but AES-256 has no known practical attack. Brute-forcing a 256-bit key would require testing roughly 2^256 combinations — a number so large that even every computer on Earth working together for billions of years wouldn't finish. In practice, attackers target weak passwords or software bugs, not the AES math itself.

Why is AES-256 called 'military-grade'?

Because it's the standard the U.S. government approved to protect classified data, including TOP SECRET information. The term 'military-grade' is marketing shorthand, but it's accurate in the sense that AES-256 is the same cipher trusted by militaries, banks and intelligence agencies worldwide.

What is the difference between AES-256 and AES-128?

The number refers to the key length in bits. AES-128 uses a 128-bit key and AES-256 uses a 256-bit key. Both are considered secure today, but AES-256 has a much larger key space and a bigger safety margin against future advances, including quantum computing, which is why it's preferred for high-security uses like VPNs.

Will quantum computers break AES-256?

Quantum computers threaten some encryption, but AES-256 is considered relatively resilient. Grover's algorithm could theoretically halve the effective key strength to roughly 128 bits — still far beyond practical brute force. AES-256 is widely regarded as one of the more quantum-resistant symmetric ciphers in use today.

Ready to reclaim the open internet?

Get started in minutes. Encrypted, no-logs, and built to beat censorship.