Here's What 'Military-Grade' Encryption Really Means

The term "military-grade encryption" is powerfully evocative, summoning images of impenetrable bunkers or hardened, isolated networks deep in secure government facilities. It's a term bandied around regularly by apps, VPNs, and cloud services in their marketing materials precisely for that reason: conjuring the specter of the military also conjures connotations of top secret security and rigorously stress-tested protocols.

The reality is that the term is almost always a marketing buzzword for AES-256, an encryption algorithm that the U.S. government uses to protect top-secret classified information. Like similar language in other marketing contexts, like "military-grade durability" or "passes U.S. MIL-STD-810 testing," it does not imply that a product has been certified by the U.S. military or that it uses technology that's normally exclusive to the Department of Defense or armed forces. Instead, it simply means that a product makes use of a common, though very secure, encryption standard. Importantly, however, encryption strength relies on the entire system, not just the algorithm — one reason we recommend separately encrypting your own files before uploading them to the cloud.

AES-256 refers to the Advanced Encryption Standard (a subset of Rijndael, an algorithm developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen) with a 256-bit key. AES-256 was introduced by the U.S. National Institute of Standards and Technology (NIST) in 2001 and remains the federal standard for encryption for top secret data in the United States. It's widely used in common apps like Zoom, but because of how difficult it is to break, it has been employed in ransomware attacks like those perpetrated by TeslaCrypt as far back as 2015.

AES-256 works like any other encryption standard by translating information into an unreadable cipher that can't be decoded without the appropriate 256-bit key. It starts by dividing the data into blocks, then extensively scrambling and swapping it for otherwise meaningless bytes of data. Rows and columns of data are shifted and mixed and then a final cipher is outputted. Without the matching key, the cipher is nonsense — however, any person or entity with access to that key will be able to fully decipher and access that data.

AES-256 is incredibly secure and has never been cracked. Even quantum computers, which threaten the security of a number of commonly used security keys, are unlikely to crack AES-256. That said, it's important to note that saying a piece of software makes use of "military-grade encryption" does not imply any testing, certification, or endorsement by the U.S. military, nor that it has somehow been granted access to an algorithm normally only available for military applications.