What Is Encryption? Symmetric, Asymmetric, and When to Use Each

Short answer

Encryption is the process of scrambling data with a mathematical algorithm and a key, so that only someone with the matching key can unscramble it. It protects messages in transit (HTTPS), data at rest (disk encryption), and authentication (password exchange). It's the backbone of digital privacy.

Encryption vs hashing — different problems

• Encryption is reversible — the whole point is that the right key gets the original data back.
• Hashing is one-way — SHA-256, bcrypt, MD5. You can't recover the input. Used for integrity and password storage.

If someone says "we encrypted your passwords," they probably mean hashed. See the SHA-256 vs bcrypt comparison.

Symmetric encryption — one shared key

Sender and receiver use the same secret key. The canonical algorithm is AES (Advanced Encryption Standard) at 128 or 256 bits. Symmetric encryption is fast — modern CPUs have hardware acceleration (AES-NI) that runs at gigabytes per second. The challenge is getting the shared key to both sides securely.

Asymmetric encryption — a public / private keypair

Each party has two mathematically-linked keys. Anything encrypted with the public key can only be decrypted with the private key (and vice versa for signing). No shared secret needed — you can publish the public key anywhere. The canonical algorithm is RSA; modern systems increasingly prefer ECC (elliptic curve cryptography) because keys are smaller at equivalent security.

Asymmetric encryption is slow by design — useful for exchanging a symmetric key, signing documents, and authenticating identities. Full comparison: AES vs RSA.

Real systems use both

HTTPS, SSH, and most secure protocols combine the two: asymmetric encryption establishes the connection and exchanges a random symmetric key, then symmetric encryption handles the actual data. You get the "no shared secret needed" benefit of asymmetric + the speed of symmetric.

Modes of operation

AES isn't a complete spec by itself — you pick a mode:

• GCM — the modern default. Provides encryption and integrity (authenticated encryption). Use this.
• CBC — older, needs a separate MAC for integrity. Vulnerable to padding oracle attacks if misused.
• ECB — never use. Identical blocks encrypt to identical output, leaking patterns.
• ChaCha20-Poly1305 — GCM alternative; faster on devices without AES hardware (mobile, IoT).

Key sizes — the "2026" defaults

• AES: 256 bits for most uses; 128 is still safe for almost everything
• RSA: 3072 or 4096 bits (2048 is being phased out)
• ECC: 256-bit curves (P-256, Ed25519) ≈ RSA-3072 strength

Common real uses

• HTTPS — every secure web connection
• WhatsApp / Signal end-to-end — asymmetric for initial key exchange, symmetric for messages
• Disk encryption — FileVault (macOS), BitLocker (Windows), LUKS (Linux)
• Password managers — vault encrypted under a key derived from your master password
• Git signing — commits signed with GPG keys to prove authorship
• Cryptocurrency — asymmetric keys are your wallet

Post-quantum

A large enough quantum computer would break RSA and ECC via Shor's algorithm. AES-256 would need its key length re-evaluated but remains fundamentally secure. NIST is standardizing post-quantum algorithms (ML-KEM, ML-DSA); migration is underway but not yet urgent — existing quantum computers can't run the attack at any useful scale.

Related tools

Generate cryptographically random keys and passwords with password generator. Compute hashes (one-way, different from encryption) with hash generator. Encrypted data is often transmitted in Base64 — decode with Base64.