What Is AES-256 Encryption? A Non-Cryptographer’s Guide

TL;DR

AES-256 (Advanced Encryption Standard with 256-bit key) is a symmetric block cipher ratified by NIST in 2001. It encrypts data in 128-bit blocks using 14 rounds of substitution-permutation. AES-256-GCM adds authenticated encryption that prevents tampering. The cipher is considered secure against all known practical attacks, including brute force with classical computers. Its main weakness is not the math but the implementation: weak passwords, side-channel leaks, and software bugs break AES-256 far more often than cryptanalysis does.

What Is AES-256 Encryption?

AES-256 is a symmetric block cipher. “Symmetric” means the same key encrypts and decrypts. “Block cipher” means it processes data in fixed-size chunks — 128 bits (16 bytes) at a time. The “256” tells you the key length: 256 bits.

The Advanced Encryption Standard (AES) was selected by the U.S. National Institute of Standards and Technology (NIST) in 2001 after a multi-year public competition. The winning algorithm, Rijndael, was designed by Joan Daemen and Vincent Rijmen. NIST published it as FIPS 197. The standard specifies three key sizes: 128, 192, and 256 bits. AES-256 uses 14 rounds of processing; AES-128 uses 10.

When you hear “256-bit encryption” in a product description, it is almost always AES-256. Other ciphers with 256-bit keys exist (Twofish, ChaCha20), but AES is the most widely adopted and most thoroughly analyzed.

This article is the plain-language overview. If you want the deeper technical breakdown of the authenticated-encryption variant — the nonce discipline, the GHASH authentication tag, the AEAD construction in RFC 5116 — read the dedicated explainer on AES-256-GCM.

How AES-256 Works

AES operates on a 4×4 grid of bytes called the state. Each round applies four operations:

1. SubBytes — each byte is replaced using a fixed substitution table (S-box). This introduces non-linearity.
2. ShiftRows — the rows of the state are shifted cyclically. This diffuses the bytes across columns.
3. MixColumns — each column is multiplied by a fixed polynomial. This further mixes the data.
4. AddRoundKey — the round key (derived from the main key) is XORed into the state.

AES-256 repeats these steps 14 times. The first round omits MixColumns. The last round omits MixColumns as well. The round keys are generated by the key schedule, which expands the 256-bit key into 15 separate 128-bit round keys.

The cipher can operate in several modes — essentially, how the block cipher is applied to data longer than one block.

AES-256-GCM: The Recommended Mode

GCM stands for Galois/Counter Mode. It is an authenticated encryption (AEAD) scheme — it provides both confidentiality and integrity. Each message is encrypted with a unique 96-bit nonce (number used once). The ciphertext includes an authentication tag that proves the data has not been tampered with. The specification is RFC 5116.

GCM is the default mode in TLS 1.2 and TLS 1.3. It is also what AppVault uses for every file it encrypts. A unique nonce per file prevents an attacker from comparing ciphertexts to detect identical files.

AES-256-CBC: Legacy Mode

Cipher Block Chaining (CBC) XORs each plaintext block with the previous ciphertext block before encryption. It provides confidentiality only. Without a separate HMAC, CBC is vulnerable to padding oracle attacks. NIST and most security authorities now recommend GCM over CBC for new implementations.

AES-256 vs AES-128

The core difference is the keyspace. AES-128 has 2^128 possible keys. AES-256 has 2^256. That is not twice as many — it is 2^128 times more. The number 2^128 is already enormous: roughly 340 undecillion. 2^256 is 2^128 squared.

For practical purposes, both are secure against brute force with classical computers. The NSA allows AES-128 for Secret data and AES-256 for Top Secret. The choice matters for long-term secrecy. If an attacker records encrypted traffic today and stores it, a future breakthrough (or a quantum computer) could break AES-128 decades from now. AES-256 provides a larger safety margin.

Quantum computers using Grover’s algorithm would reduce the effective key strength by half: AES-256 becomes 128 bits, AES-128 becomes 64 bits. 128-bit keys are still considered secure against quantum attacks for the foreseeable future, but 64-bit keys are not. AES-256 is the safer bet for data that must remain confidential beyond 2030.

Performance: AES-256 is roughly 40% slower than AES-128 in software. On modern CPUs with AES-NI instructions, the difference is much smaller — typically 10-20%. For most applications, the security gain outweighs the performance cost.

Where AES-256 Is Used

AES-256 is everywhere.

• TLS/HTTPS — Every secure website uses AES in GCM or CBC mode. The cipher suite TLS_AES_256_GCM_SHA384 is common.
• Wi-Fi — WPA2 and WPA3 use AES-CCMP (128-bit key) or AES-GCMP (256-bit key in WPA3-Enterprise).
• iPhone file protection — iOS encrypts files with AES-256 using keys wrapped by the Secure Enclave. Apple’s Platform Security guide describes the key hierarchy.
• Full-disk encryption — BitLocker (Windows), FileVault (macOS), and LUKS (Linux) all use AES-256.
• Messaging — Signal, WhatsApp, and iMessage use AES-256 in combination with other primitives.
• VPNs — OpenVPN, WireGuard, and IPsec all support AES-256-GCM.

AES-256 is also the encryption engine inside AppVault. Every photo, video, and file is encrypted with AES-256-GCM before it touches storage. The full stack is documented on the AES-256-GCM encryption page.

What AES-256 Does NOT Protect Against

The algorithm is mathematically sound. The failures happen around it.

Weak passwords. AES-256 is only as strong as the key. If the key is derived from a four-digit PIN, an attacker can try all 10,000 possibilities in milliseconds. Key derivation functions like PBKDF2, bcrypt, or Argon2 stretch weak passwords into stronger keys. AppVault uses PBKDF2-SHA256 with 600,000 iterations and a per-install 128-bit salt to slow down brute-force attempts.

Side-channel attacks. If an attacker can measure power consumption, electromagnetic emissions, or cache timing, they may recover the key without breaking the cipher. Hardware implementations with AES-NI resist many side channels. Software implementations must be constant-time to avoid leaking data through timing.

Implementation bugs. AES is complex to implement correctly. Nonce reuse in GCM destroys all security. Padding oracle attacks break CBC if the integrity check is missing. A single buffer overflow can leak the key. The safest approach is to use a well-audited library from the operating system — Apple’s CryptoKit, iOS’s CommonCrypto, or OpenSSL.

Physical access without encryption at rest. AES-256 protects data at rest. If the device is powered on and unlocked, the key is in memory. An attacker with forensic tools can dump the key. This is why iPhone file protection uses hardware-backed keys that are wiped when the device locks.

The human factor. Encryption does not stop someone from tricking you into revealing the password. It does not stop a court order compelling you to unlock the device. It does not stop a malicious app running on the same phone from reading files after they are decrypted.

AppVault’s threat model page lists what the app defends against and what it does not. The honest answer: AES-256-GCM protects against an attacker who gains physical access to the device while it is locked, or who intercepts the encrypted backup. It does not protect against a keylogger on the device or a rubber-hose attack.

How AppVault Uses AES-256-GCM

AppVault implements AES-256-GCM with several layers beyond the cipher itself.

Unique nonce per file. Every encryption operation generates a fresh 96-bit nonce using the Secure Enclave’s random number generator. Even if two files are identical, their ciphertexts differ. An attacker cannot infer file contents by comparing encrypted sizes or patterns.

Key derivation from pattern. The user’s 5×5 pattern lock is transformed into a 256-bit key using PBKDF2-SHA256 with 600,000 iterations. The iteration count follows the OWASP 2026 recommendation. The salt is 128 bits, generated per installation. The resulting key is then wrapped by a key generated inside the iPhone Secure Enclave. The Enclave key never leaves the chip. This means even if an attacker extracts the PBKDF2 output from memory, they cannot decrypt files without access to the Secure Enclave.

No servers. AppVault makes zero network calls by default. Encryption keys never leave the device. Encrypted iCloud Backup is opt-in and uses a separate per-device backup key. Apple receives only ciphertext. This is a zero-knowledge architecture: AppVault cannot read your files, even if compelled.

Catalog encryption. The list of files — their names, sizes, and dates — is also encrypted. An attacker with raw storage access cannot determine how many files are in the vault, let alone what they are.

Decoy vault. The Decoy Vault feature creates a second, mathematically independent encrypted catalog behind a different pattern. Each vault uses its own key derivation chain. The existence of one vault does not reveal the other.

The Bottom Line

AES-256 encryption is the gold standard for data confidentiality. When implemented correctly — with authenticated encryption, unique nonces, strong key derivation, and hardware-backed key storage — it provides a level of security that no known attacker can break.

But encryption is a tool, not a talisman. It does not protect against weak passwords, compromised devices, or social engineering. The best cipher in the world is useless if the user sets “1234” as the vault code.

AppVault’s design acknowledges that reality. The cryptography stack uses AES-256-GCM with Secure Enclave wrapping, PBKDF2 with 600,000 iterations, and zero-knowledge architecture. The pattern lock page explains exactly how a 5×5 grid becomes a 256-bit key. The comparison with Keepsafe shows how different apps approach the same problem.

AES-256 is not magic. It is math. And math, when applied correctly, is the closest thing to a guarantee that privacy engineering can offer.