The Comprehensive Guide to VPN Encryption Ciphers

October 14, 2019

VPNs were introduced almost 20 years ago and are a staple of today’s modern security. Used personally and by large organizations alike, VPNs are as common as handheld devices. A VPN assigns new IP addresses, transmitting online traffic through an encrypted tunnel. Even knowing how a VPN works, they don’t work equally. Some have more speeds and features.

Encryption ciphers are at the heart of VPN technology. They help determine how the secure tunnel is formed. Each cipher offers a different solution to secure, private and anonymous browsing.

Though many of us are aware of how a VPN generally works, it’s common to get lost on the fine details of the technology due to the sheer complexity of the subject. This confusion is reinforced by the fact that many VPN providers can be misleading when describing the type of encryption that they use, as there are a number of VPN encryption types.

This is how it works – the VPN client first encrypts the connection requests, and sends them to the VPN server which decrypts them and forwards them to the web. Then, the received data is encrypted by the VPN server and sent to the VPN client, which then decrypts the received info for you.

What are VPN Encryption Ciphers
VPN encryption cipher are algorithms that perform the encryption and decryption process. These ciphers might have weaknesses that make it possible to break the encryption. By using a complex cipher with a strong encryption key, this can be avoided.

From a simple standpoint, encryption substitutes letters and numbers to encode data. This ensures only authorized groups can access and understand it. Ciphers indicate a series of well-defined steps that can be repeated. Their operation usually depends on a piece of auxiliary information called a key. Without knowledge of this key, it is very difficult, or almost impossible to decrypt the resulting data.

The name of a VPN encryption cipher is normally accompanied by the length of the key. For example, Blowfish-128 is the Blowfish cipher with a key length of 128 bits. A key length of 256 bits is the current ‘gold standard’. There are a few key concepts in the world of encryption:



This is where the key for encryption and decryption is the same, and both communicating parties must possess the same key in order to communicate. It’s used in VPN services.


Software creates sets of public and private keys. The public key is used to encrypt data, which is then sent to the owner of the private key. They then use this private key to decrypt the messages.


Handshake encryption (RSA)

A “handshake” represents that automatic communication between two communicating devices. Basically, it refers to how the VPN client and VPN server establish the encryption keys that are used for communication (encryption and decryption in this case).

During the handshake (usually a TLS/SSL one), the client and server:

•  Generate the encryption keys.

•  Agree which VPN protocol will be used.

•  Select the appropriate cryptographic algorithms.

•  Authenticate each other with the help of digital certificates.


Secure Hash Algorithm (SHA)

The Secure Hash Algorithm (SHA) is used to authenticate data and SSL/TLS connections. In this process, a unique fingerprint is created to validate the TLS certificate – that is, to check you’re connecting to the server you’re supposed to be. Without this, a hacker could re-route your traffic to their own server instead of your VPN provider’s.


Encryption Ciphers

Here are the main types of encryption ciphers you will see VPN providers use:

The Blowfish Cipher – Blowfish is normally accompanied by a 128-bit key. It is deemed safe, but there are some online users that worry about its reliability. Blowfish is the default cipher used in OpenVPN, though it can be configured to others. The most commonly used version is Blowfish-128, but it theoretically can range from 32 to 448 bits. It should generally only be chosen when AES-256 is unavailable.

The Twofish Cipher – This is the successor of Blowfish. The main difference is that Twofish has a 128-bit block size instead of the 64-bit one Blowfish has. Bruce Schneier, the creator of the Blowfish Cipher also recommends using Twofish over Blowfish.

The AES Cipher – AES can have 128-bit, 192-bit, and 256-bit keys. AES is very popular with VPN users thanks to its NIST certification. The U.S. government also uses this cipher.

The Camellia Cipher – Camellia is said to be as good as AES. It’s fast and supports 128-bit, 192-bit, and 256-bit keys. It hasn’t been completely tested against potential weaknesses. Due to its lack of certifications, AES tends to be picked over it.

The 3DES Cipher – Triple DES (3DES; also known as TDEA/Triple DEA) is basically the Data Encryption Standard (DES) being used three times. It’s slower than Blowfish, and it only supports 56-bit, 112-bit, and 168-bit keys. Also, like Blowfish, it has a 64-bit block size, making it susceptible to birthday attacks. One important detail worth mentioning is that this cipher has officially been retired and usage of this Cipher will be prohibited after 2023.

The MPPE Cipher – MPPE stands for Microsoft Point-to-Point Encryption, and it’s a cipher often used for PPTP connections and dial-up connections. The cipher supports 40-bit keys, 56-bit keys, and 128-bit keys.

The RSA cipher is another algorithm that can be used for secure online communications, but we’re mentioning it here and not adding it to the list above because most VPN providers use RSA for encryption handshakes since the cipher is relatively slow. Additionally, the 1024-bit RSA key is no longer considered safe, and security experts advise using the 2048-bit or 4096-bit one instead.

While key length refers to the amount of numbers or ‘bits’ involved, a cipher is the formula or algorithm used to actually carry out the encryption. The strength of a cipher is dependent on both the key length and the strength of these formulas. A larger key length means more calculations are involved, so more processing power is required. This affects how fast data can be encrypted and decrypted. Commercial VPN providers must therefore negotiate the balance between security and usability when choosing an encryption scheme.

The types of encryption ciphers above should help to strengthen your understanding of what drives and secures your VPN connection. When choosing a VPN provider, these should be taken into consideration.


VPN Encryption Protocols

This is a set of instructions used when a secure connection between two devices is established. First is the VPN client, and the second is the VPN server. VPN providers use multiple VPN protocols when negotiating secured connections. These are the most widely used:

•  PPTP– A relatively high-speed VPN encryption protocol. One of the main problems – it has poor security.

•  L2TP/IPSec– On its own, L2TP provides no encryption, which is why it’s always paired up with IPSec. Together, they make for a pretty secure protocol (especially if it uses the AES cipher). There have been claims that the NSA has cracked or weakened this VPN encryption protocol, but there is no proof to back them up.

•  IPSec– IPSec is a secure network protocol suite that’s used to encrypt data packets which are sent over an IP network. It features high security, and it can encrypt traffic without the end point application being aware of it. In VPN technology, IPSec is often used alongside L2TP and IKEv2.

•  IKEv2– IKEv2 is relatively fast, stable, and safe (if a cipher like AES is used). Still, IKEv2 can be hard to implement on the VPN server side, so an inexperienced VPN provider could make mistakes which can result in security problems.

•  OpenVPN– An open-source protocol, OpenVPN is very secure and configurable. Its only downside seems to be the fact that using it with strong encryption ciphers can sometimes slow down connection speeds.

•  SoftEther– Despite being a newer VPN encryption protocol, SoftEther has quickly become popular with VPN users due to the fact that it’s very secure, stable, and surprisingly fast.

•  SSTP– This protocol is often compared to OpenVPN since it uses SSL 3.0, thus allowing it to bypass censorship by using port 443 (the HTTPS traffic port). Despite that, SSTP isn’t as popular as OpenVPN because it’s not open-source.

•  Wireguard– Wireguard is a new, open-source VPN protocol. It only uses a single cryptographic suite, so it’s less likely to have security holes. The only problems right now are the fact that the protocol is still in development, and more testing needs to be done. Despite that, there are VPN providers who have started using Wireguard.

penVPN is considered to be the standard, but there are other alternatives that may work better.

So, what is the best VPN Encryption?

It really depends on how much security is needed for online data and traffic. These are a few things to look for:

•  A long encryption key, at least 128-bit in size.

•  •  Reliable key exchange protocols, like ECDH or RSA-2048.

Strong VPN ciphers like AES, Twofish, or Camellia.

•  Powerful VPN encryption protocols like OpenVPN, SoftEther, and IKEv2.

•  A SHA-2 cipher for HMAC authentication – ideally 256-bit, 384-bit, or 512-bit.

•  Perfect Forward Secrecy features.

Do all VPN providers have VPN Data Encryption?

No. Free VPNs may claim they offer encryption but that may not be the case. Even if they do, the encryption will probably be very weak. For the best VPN data encryption, use a VPN paid service.