Technology March 11, 2026

How Encryption Works

A 9-minute read

By Lena Park

Every time you buy something online, your card number travels across dozens of servers. Here's why that's safe.

The idea of sending a secret message is ancient. Julius Caesar shifted letters three positions down the alphabet to encode military orders. For two thousand years, breaking codes was just a matter of patience and pattern recognition. Then, in the 1970s, mathematicians discovered something that genuinely changed the game: a way to encrypt information using a key you publish publicly, that can only be unlocked with a different key you keep private. It sounds paradoxical. It works. And it’s protecting your credit card number right now.

The short answer

Encryption is a way of scrambling data so that only someone with the right key can read it. Think of it like a locked box: you put your message inside, lock it with a key, and send the box across the world. Even if someone intercepts the box, they can’t open it without the key.

Your phone encrypts your messages. Your browser encrypts your passwords. The padlock icon in your address bar? That’s encryption at work, protecting every piece of data you send and receive, including all the traffic flowing through Wi-Fi and APIs.

The full picture

Two keys, one job

There are two main types of encryption, and understanding the difference is key to understanding how modern security works.

Symmetric encryption is the simpler of the two. Imagine you and a friend share a single key to a safe. You lock something with it, your friend unlocks it with the same key. It’s fast and efficient, but there’s a problem: you both need to have the same key, which means you had to find a safe way to share it in the first place.

This is where asymmetric encryption changes the game. Instead of one key, you have two: a public key and a private key. The public key can only lock the safe, not open it. The private key is the only thing that can unlock what the public key locked.

Here’s how it works in practice. If someone wants to send you a secret message, they use your public key to lock it. Only you, with your private key, can unlock and read it. The public key is exactly that: public. You can share it with anyone. Your private key never leaves your device.

This is the foundation of everything from secure messaging to cryptocurrency.

The padlock analogy

You’ve seen the padlock icon in your browser’s address bar. Here’s what actually happens when you see it.

When you visit a secure website via the internet, your browser and the website’s server perform a ritual called the TLS handshake. Think of it as two strangers exchanging IDs before sharing secrets.

  1. Your browser says hello and lists the encryption methods it supports
  2. The server responds with its digital certificate, basically an ID card issued by someone trusted
  3. Your browser verifies the certificate is real
  4. Both sides generate temporary encryption keys for this session

This whole exchange takes less than a second, and once it’s done, every piece of data flowing between you and the website is encrypted.

Who vouches for whom

That certificate we just mentioned? It’s issued by a certificate authority, a trusted organization that verifies a website is actually who it claims to be. When your browser trusts a certificate, it’s essentially saying “we trust this third party, and they vouch for this website.”

This is why you shouldn’t ignore browser warnings about invalid certificates. It means the site either hasn’t been verified, or something is trying to intercept your connection.

End-to-end vs in transit

Not all encryption is created equal, and the difference matters.

Encryption in transit is what happens when you visit a secure website. Your data is encrypted between your device and the server, but the server itself can still read it. It’s like sending a letter in a sealed envelope: safe from prying eyes during delivery, but the post office could theoretically open it if they wanted to.

End-to-end encryption goes further. Only you and the recipient can read the message. Not even the service provider can decrypt it. This is what apps like Signal and WhatsApp use for their most sensitive features. The message leaves your phone scrambled and arrives at the recipient’s phone scrambled. The middlemen see only gibberish.

Why breaking encryption is nearly impossible

Modern encryption isn’t just a lock. It’s a lock with a combination that has more digits than there are atoms in the universe.

When we say your data is protected by 256-bit encryption, that means there are 2^256 possible keys. That’s a number with 78 digits. To put that in perspective, if every atom in the known universe were a computer that could try a trillion keys per second, it would take longer than the age of the universe to try them all.

This isn’t hyperbole. This is mathematics. The best attacks on modern encryption don’t break the math, they find implementation bugs or trick people into giving up their keys through phishing.

The quantum threat, and why it’s already happening

Everything we’ve described so far assumes classical computers, the kind you have on your desk or in your pocket. Quantum computers work differently, and they have the potential to break some of the encryption we rely on today.

Specifically, quantum computers could solve certain mathematical problems much faster than regular computers. The math behind RSA and elliptic curve cryptography, which underpin most asymmetric encryption today, happens to be one of those problems.

But here’s what most articles get wrong: this isn’t just a future problem you can worry about later.

There’s a strategy already in use called “harvest now, decrypt later” (HNDL). The idea is simple: an adversary (a nation-state intelligence agency, say) intercepts and stores encrypted communications today, even though they can’t break the encryption yet. They just wait. When quantum computers become powerful enough, they go back to their archive and decrypt everything they collected years earlier.

The US National Institute of Standards and Technology (NIST) explicitly names this threat in official guidance. Your medical records, your legal documents, your private messages: anything sensitive you send today could be sitting in someone’s archive waiting for a quantum computer to arrive.

NIST responded to this threat in August 2024 by finalizing the world’s first official post-quantum cryptography standards (published as FIPS 203, 204, and 205). These are new encryption algorithms designed to be secure even against quantum attacks. Governments, financial institutions, and tech companies are now in the process of migrating to them, a transition that experts compare in scale to the original switch from HTTP to HTTPS.

For ordinary users, this transition will be invisible. Browser and OS makers will update their software, and the new algorithms will take over quietly, just as TLS quietly replaced older protocols before it. But if you work in an organization that handles sensitive data that needs to stay secret for years (government, healthcare, finance, law), post-quantum readiness is already an active concern, not a future one.

Why governments hate strong encryption

There’s a tension at the heart of encryption that purely technical explanations tend to skip: encryption is politically contested in ways that affect everyone.

Law enforcement agencies around the world argue that end-to-end encryption creates “going dark,” a situation where criminals can communicate with absolute impunity because no one, not even the service provider, can read their messages. The FBI, the UK Home Office, and the European Commission have all, at various points, called for laws requiring tech companies to build in “backdoors,” deliberate weaknesses that would allow authorized access to encrypted communications.

The technology community has responded consistently: a backdoor for law enforcement is a backdoor for everyone. There is no such thing as an encryption weakness that only good actors can exploit. If you build a key that unlocks every lock, someone will steal it.

The debate has erupted into public battles repeatedly:

  • Apple vs. FBI (2016): After the San Bernardino shooting, the FBI demanded Apple write software to help unlock a gunman’s iPhone. Apple refused, arguing that creating such a tool would compromise the security of every iPhone in the world. The FBI eventually obtained access through a third-party vulnerability, without Apple’s help.
  • Signal vs. the UK (2023–2024): The UK Online Safety Act included provisions that could require messaging apps to scan encrypted messages for illegal content. Signal’s president said the company would leave the UK market rather than compromise encryption. The UK government eventually backed down on enforcement of that particular provision, but the law remains on the books.
  • EU Chat Control (ongoing): The European Commission has proposed regulations that would require all messaging apps to scan private messages for child sexual abuse material, effectively requiring a backdoor into end-to-end encryption. As of 2026, the proposal is still being contested.

The stakes in these debates are high precisely because encryption works. The same property that protects dissidents in authoritarian countries, journalists communicating with sources, and domestic abuse survivors communicating safely is also the property that frustrates law enforcement. There is no version of encryption that works only for the right people. That’s the whole point.

How public key cryptography actually works mathematically

Public key cryptography sounds like a magic trick: how can a lock be designed that anyone can close but only one person can open? The answer lies in what mathematicians call trapdoor functions: mathematical operations that are easy to perform in one direction but practically impossible to reverse.

The most famous is RSA encryption, invented in 1977. It’s built on the fact that multiplying two large prime numbers is fast, but given the result, finding the original two primes is, for sufficiently large numbers, computationally infeasible.

Here’s the rough idea: you pick two enormous prime numbers (each hundreds of digits long) and multiply them together. That product becomes the basis of your public key. Anyone can use the public key to encrypt a message. But decrypting it requires knowing those original two primes. The only practical way to find them is to try factoring the giant number, and for large enough numbers, that would take supercomputers millions of years.

There’s an elegant irony here: the hardest part of creating the most sophisticated cryptographic system in history was rediscovering something mathematicians already knew. The mathematicians who invented RSA, Rivest, Shamir, and Adleman, realized that ancient number theory about prime numbers was, unknowingly, the foundation of modern digital security. The mathematics was there. Someone just had to notice it was also a lock.

Why it matters

Encryption is the reason you can bank online, send private messages, and share sensitive documents without losing sleep. It’s not perfect, nothing is, but it’s the best defense we have against mass surveillance, identity theft, and corporate espionage.

You use encryption dozens of times a day without thinking about it. That’s by design. The best security is the kind that gets out of your way and just works.

Understanding the basics helps you make smarter decisions, like recognizing why that padlock icon matters, why you shouldn’t send sensitive information over unencrypted channels, or why the backdoor debate has no good technical answer, only political trade-offs. You’re not going to become a cryptographer overnight, but you don’t need to. The math does the heavy lifting. You just need to know it exists, who wants to weaken it, and why they’re fighting a losing battle.

Common misconceptions

“Encryption means your data is completely private and untraceable.” This overstates what encryption actually does. Encryption protects the content of your messages, but metadata—who you talk to, when, and how often—remains visible. Intelligence agencies can still see that you contacted a certain server or person, even if they can’t read what you said.

“Strong encryption is illegal in some countries, so people there have no protection.” The reality is more complicated. Many countries that restrict encryption have weak enforcement or allow certain encrypted services. People in restrictive jurisdictions often use widely available encryption tools that are technically difficult to block without cutting off internet access entirely.

“If your password is strong enough, your account can never be hacked.” Encryption protects data in transit and at rest, but it doesn’t protect against phishing, keyloggers, or password reuse breaches. Even 256-bit encryption cannot save you from typing your password into a fake login page.

“Quantum computers will make all encryption useless immediately.” This is not accurate. Quantum computers pose a real threat to current encryption standards, but they don’t magically break every algorithm. Symmetric encryption (like AES) would still require a brute-force search even with quantum assistance. Post-quantum cryptography already exists and is being deployed.

More in Technology

Technology A 6-minute read

How Wi-Fi Works

Your laptop talks to a router dozens of feet away through solid walls using invisible waves, and it does so without ever physically touching anything. Here's the surprisingly elegant system behind it.

Read more
Technology A 7-minute read

How APIs Work

When apps talk to each other, they use APIs. Here's how that conversation actually works, and why the word 'API' means more than you think.

Read more
Technology A 8-minute read

How the Internet Works

You use it every day. But what actually happens when you type a URL and hit enter?

Read more