Encryption: How It Works and Why It Protects Everything¶
The mathematical process that makes private digital communication possible, and the standard every tool you use either meets or doesn't.
π The Basics¶
What It Is¶
Encryption is the foundational layer beneath most privacy and security tools. When Signal says your messages are private, when your browser shows a padlock, when a password manager says your vault is protected: they're typically communicating something about their encryption. Not all encryption is equal, and understanding what it does and doesn't do is what separates an educated decision from a marketing one.
How It Works¶
There are two fundamental types of encryption:
Symmetric Encryption¶
Uses the same key to encrypt and decrypt data. The analogy is a locked box where the sender locks it, the recipient unlocks it, and both use an identical key. It's fast and efficient, which makes it ideal for encrypting large amounts of data. The current base standard is AES-256 (Advanced Encryption Standard with a 256-bit key). While it's considered strong, the problem with symmetric encryption is key distribution, since if you want to send someone an encrypted message, how do you share the key with them in the first place? Sending the key alongside the message defeats the purpose.
Asymmetric Encryption¶
This solves the core issues with symmetric encryption. Instead of one shared key, each party has a pair: a public key they share openly, and a private key they never share with anyone. Data encrypted with someone's public key can only be decrypted with their corresponding private key.
The analogy: imagine a mailbox with a slot in the front. Anyone can drop a letter through the slot (encrypt with the public key), but only the person with the physical key to the box can retrieve and read what's inside (decrypt with the private key). You can hand out copies of the slot design to everyone you knowβit doesn't matter, because the slot doesn't help anyone get the letters out.
RSA is the most widely known asymmetric algorithm, with RSA-2048 as a current minimum standard and RSA-4096 recommended for stronger security. ECC (Elliptic Curve Cryptography) is increasingly common. It achieves strong security with significantly shorter keys, making it well-suited for mobile devices and performance-sensitive applications.
In practice, asymmetric and symmetric encryption are typically used together. Asymmetric encryption handles the key exchange, then symmetric encryption (much faster) takes over for the actual data transmission.
The Common Terms You'll Hear About Most¶
Not all encryption is equal, and the difference between these terms has real consequences for what's actually protected.
Encrypted In Transit¶
This means data is encrypted while traveling between your device and a server. Think of an armored truck moving between two locations. HTTPS on websites is a common example, the lock icon in your browser indicates the connection to the site is encrypted. What it does not mean: the site itself is trustworthy, or that the data isn't readable once it arrives at the server. The website still decrypts it and can read everything.
Encrypted At Rest¶
This means data is stored in encrypted form on a hard drive, on a server, in a database, etc. It protects against unauthorized access to the physical storage medium. If a company's server is breached but the data is encrypted at rest with keys the company controls, the stolen data may be unreadable to the attacker. However, the company still holds the decryption keys. If they're compelled by law, breached in a more targeted way, or choose to access your data themselves, the encryption doesn't prevent your data from being accessed.
Client-Side Encryption (CSE)¶
This is sometimes also called zero-knowledge encryption, it means data is encrypted on your device before it ever reaches the provider's servers. In this situation, the provider doesn't hold a key that could be handed over in a court order or extracted in a breach. Many privacy-respecting storage and backup services implement this: Bitwarden, Proton Drive, Cryptee, and other tools encrypt your data locally before syncing it. The one caveat: "client-side encryption" doesn't specify who controls the encryption keys. Some implementations derive your key entirely from a password only you know, so the provider genuinely cannot recover your data. Others build in account recovery mechanisms that require some access to key material. The label alone doesn't tell you everything, but CSE tends to have higher standards for user safety.
End-to-End Encryption (E2EE)¶
This takes client-side encryption into the communications context (think messaging your friend) for a specific guarantee: only the sender and the recipient(s) hold the keys. The service provider in between sees only ciphertext they cannot reverse, because they never possess the keys at any point. The distinction from general CSE is architectural: in E2EE, the keys are derived from both parties' keys (like you and a friend), so the provider in the middle can't read them. This is the meaningful standard for private communications.
Device/Disk Encryption¶
This is when you personally encrypt the contents of your phone or computer so they're unreadable without your PIN or password. This is encryption at rest for your own devices. Mobile devices default to this the moment you set a password; laptops vary as Windows offers BitLocker as an option, macOS uses FileVault, and Linux distributions ask during install whether to enable LUKS. Device encryption protects you if the device is physically stolen or seized, because the raw storage is scrambled without your credential. It does not protect data once the device is unlocked and apps are running.
π― Why It Matters¶
In 2020, a cyclist in Gainesville, Florida named Zachary McCoy received a letter from Google's legal team. Police had submitted a geofence warrant, a demand requiring Google to identify every device near a specific location during a specific time window. A home had been burglarized; McCoy's route had taken him past that address multiple times, and Google Maps had been recording his location throughout.
McCoy wasn't hacked. Google's systems weren't breached. The problem was that his location data sat in Google's systems in a form Google could still read. Had his location data been stored in a way that Google's servers couldn't decrypt, there would have been nothing to hand over. Google likely stores this data encrypted at rest, but not with any kind of client-side encryption that would put someone like Zachary in control of their keys.
This is the core argument for encryption: when a service can read your data, so can anyone with the legal authority, or the leverage, to make them produce it. Encryption that the provider cannot break means a hacker has nothing useful to steal from the provider, as it's meaningless without a key only you hold. This shifts power into your court.
For communications, the stakes are similar. Standard SMS messages are not encrypted end-to-end. They pass through your carrier's systems in readable form and can be legally requested, subpoenaed, or in some cases intercepted without a warrant depending on jurisdiction. The content of a Signal message, by contrast, cannot be produced by Signal even if ordered to do so, not as a policy choice but as a technical fact.
One more thing worth saying plainly: there is an ongoing political effort by law enforcement and intelligence agencies in several countries to mandate "exceptional access" to encrypted systems...they want a backdoor the good guys can use. The technical community's response has been consistent for decades: it cannot be done safely. A weakness built into an encryption system is a weakness for everyone, including criminals, foreign adversaries, and the very people the government claims to be protecting. There is no door that opens only for the right key. When you hear officials describe encryption as "going dark" or argue that privacy tools help criminals, what they're actually asking for is the ability to undermine a system that protects billions of people's financial records, health data, private communications, and personal safety. The fact that strong encryption exists and is in wide use is not a policy failure. It's one of the most important infrastructure wins in the history of the internet.
Encryption is what makes every core protection in this wiki provable rather than theoretical. A VPN without encryption would just be rerouting. A password manager without encryption would just be a list. All of these tools are, at their core, encryption applied to a specific problem. Understanding what encryption actually delivers gives you a reliable way to evaluate what a tool is providing when it claims to protect your privacy.
π‘ Common Misconceptions¶
"Encryption is encryption."¶
There's a real difference between encryption in transit, encryption at rest, client-side encryption, and end-to-end encryption. Each one removes a different party from the trust chain. A service that advertises "encryption at rest" still holds the keys and can decrypt your data on demand. The vocabulary is similar, the guarantees are not.
"Encryption only matters if you have something to hide."¶
The Zachary McCoy story in the section above demonstrates how this falls apart. He had done nothing wrong, and still ended up under criminal suspicion because his location data sat on Google's servers. Encryption isn't about hiding wrongdoing, it's about reducing the number of parties who can access your data without your permission. Nobody expects a third-party to listen to your private conversations at the dinner table, so why should the internet be any different?
"Encryption requires advanced tools."¶
Most people already have access to genuinely strong encryption and haven't enabled it. Apple's Advanced Data Protection turns on E2EE for nearly all of iCloud with one toggle. Modern phones encrypt their storage the moment you set a passcode. Signal is free. macOS ships with FileVault ready to be enabled for disk encryption, and Microsoft does the same with BitLocker. Most of the work happens by turning on the encryption that's already available.
"If I can't migrate everything, there's no point."¶
You don't have to abandon Google Drive to start using an encrypted alternative. Having one safe space ready like a Proton Drive account, an encrypted notes app, or a Signal thread with the right people means that when something sensitive comes up, you already have somewhere to put the data. Set it up before you need it, and over time you can progressively use it more.
"Quantum computers will break all encryption anyway."¶
Powerful quantum computers could someday break the specific mathematical problems that today's most common encryption algorithms rely on. That's a valid concern, but the response is already underway. NIST finalized its first post-quantum cryptographic standards in 2024, and major platforms are actively migrating. Signal and iMessage have already integrated a post-quantum layer into their protocols. Proton Mail and Tuta Mail have also introduced post-quantum encryption. And many people would argue that even current encryption standards are still quite resistant to quantum computers. The threat is long-range, the defenses are being built, and unencrypted data offers zero protection against any adversary, so you might as well get yourself encrypted.
π£οΈ Henry's Take¶
End-to-end encryption isn't about distrusting the company you're using. It's about fighting the reality that even if you trust them, you also have to trust their third-party contractors, every engineer with database access, anyone who phishes one of those engineers, anyone who breaches the company's systems, and anyone with the legal authority to compel disclosure. You can fully trust the company and still want all of those other actors out of the equation. That's the actual benefit encryption can provide!
The most practical workflow for people who don't want to overhaul their digital life is quite simple. If you're in Apple's ecosystem, turn on Advanced Data Protection. That single toggle moves the encryption keys for nearly all of iCloud onto your devices, away from Apple. ADP currently doesn't cover Mail, Contacts, or Calendar, which is where Proton or Tuta closes the gap. Layer Signal on top for messages, and most people end up with ~80-90% of their digital life sitting behind encryption. None of this requires changing how you work day-to-day.
If you're outside of Apple's ecosystem, you'll need to hand-pick your favorite tools that can provide a similar amount of coverage. The last thing I'll say is don't try to be perfect about it. You don't have to abandon Google Drive to start using Proton Drive. Just have the encrypted alternative ready. When something genuinely sensitive comes up like a contract, a medical record, or a draft of something you don't want anyone else seeingβthen your safe space is ready to go. Set up the safe spaces, and you'll find yourself reaching for them more and more.
β Henry's Picks¶
These are the encryption layers worth setting up for most people, in roughly the order they pay off.
- Device encryption: Full-disk encryption on every device. Mobile devices do this automatically the moment you set a passcode.
- Signal or another encrypted messenger: End-to-end encrypted messages and calls.
- A password manager like Proton Pass, Bitwarden, or KeePassXC. Your vault should be encrypted with a key only you hold.
- Apple Advanced Data Protection: If you're in the Apple ecosystem, turn it on. It moves iCloud encryption keys onto your devices. Still doesn't cover Mail, Contacts, or Calendar.
- Proton or Tuta: Closes out the Mail, Contacts, and Calendar gap that ADP leaves. Either one, combined with ADP, gives most people end-to-end encryption across most of their digital life.
- Cryptomator: Client-side encryption you can stack on top of any cloud service that doesn't offer E2EE. Useful for getting cheap commodity storage (Google Drive, Dropbox) with the privacy properties you actually want.
- VeraCrypt: Encrypted volumes on local storage for cases where standard device encryption isn't enough. Also offers full-disk encryption for some operating systems.
See the broader recommendation set at Techlore's SPA Tools.
π Go Deeper¶
Related wiki articles:
- Security, Privacy, and Anonymity
- Threat Modeling
- Password Managers
- FOSS
- Encrypted Messaging
- Encrypted DNS
- Understanding Tor
- VPNs
Techlore content:
- Go Incognito v2, Lesson 5.4βStorage & Encryption
External sources:
Found an error? Report it here β