Encryption transforms readable data into ciphertext that only someone with the correct key can reverse. Unlike encoding, which any reader can undo, encryption protects confidentiality — without the key, the data is unreadable. An encryptor/decryptor handles common algorithms like AES so you can secure text or files without writing crypto code yourself.

This guide covers symmetric vs asymmetric encryption, when each applies, and the key management points that matter more than the algorithm choice.

Encryption vs Encoding vs Hashing

  • Encoding — Reversible without key; format conversion only; not security (Base64, URL encoding)
  • Hashing — One-way; cannot reverse; used for verification (SHA-256, bcrypt)
  • Encryption — Two-way with key; protects confidentiality (AES, RSA)

Symmetric Encryption

Same key encrypts and decrypts. Fast, suitable for large data. Both parties must share the key securely.

  • AES — Current standard; 128/192/256-bit keys
  • ChaCha20 — Modern alternative; performant on mobile
  • 3DES — Legacy; deprecated
  • DES — Broken; never use

AES Modes

  • GCM — Authenticated encryption; preferred for new systems
  • CBC — Common; requires separate authentication (HMAC)
  • ECB — Insecure for most data; identical blocks produce identical ciphertext

Asymmetric Encryption

Public key encrypts; private key decrypts. Solves the key distribution problem — anyone can encrypt to you using your public key, but only you can read with the private key.

  • RSA — Widely deployed; 2048-bit minimum
  • ECC — Smaller keys, same security; modern choice
  • Slower than symmetric; usually used to exchange a symmetric key

Common Use Cases

  • File encryption — Protect sensitive documents before storage or transfer
  • Disk encryption — BitLocker, FileVault, LUKS
  • Database fields — Encrypt PII, credit cards at rest
  • Messaging — Signal, WhatsApp end-to-end encryption
  • HTTPS — TLS uses asymmetric for handshake, symmetric for data
  • Backups — Encrypt before uploading to cloud storage
  • Password managers — Vault encrypted with master password

Key Management Matters More Than Algorithm

  • AES is unbreakable in practice; key handling is where systems fail
  • Hardcoded keys in source code defeat the purpose
  • Keys in version control are immediately compromised
  • Rotate keys periodically
  • Use dedicated key management services (AWS KMS, Azure Key Vault, HashiCorp Vault) for production

Password-Based Encryption

  • User password derives encryption key via PBKDF2, scrypt, or Argon2
  • Slow derivation defends against brute force
  • Weak password = weak encryption regardless of algorithm
  • Always combine with random salt per encryption

Common Pitfalls

  • Hardcoded keys. Anyone with the code has the key
  • Reusing IV/nonce. Breaks confidentiality with most modes
  • ECB mode for images. Visible patterns leak through
  • No authentication. Encrypted but tamperable; attacker can modify ciphertext
  • Weak passwords. AES-256 with password "12345" is trivially broken
  • Rolling your own. Use vetted libraries; never invent crypto
  • Losing the key. No recovery possible; data is gone

Security Notes

  • AES-256 with GCM is the modern default
  • Never decrypt without verifying authenticity
  • For files, use established formats (age, OpenSSL, GPG) when possible
  • For passwords, use a password manager, not custom encryption
  • Quantum computing threatens RSA/ECC long-term; post-quantum algorithms being standardised

When to Use What

  • Encrypt a file to share — Symmetric (AES) with strong password
  • Send to someone you don't share keys with — Asymmetric (PGP, age)
  • Store in database — AES with KMS-managed key
  • Protect data in transit — TLS (it handles the choice)
  • Verify integrity only — Hash, not encryption

Quick Tips

  • AES-256-GCM for symmetric encryption
  • Use a password manager for personal secrets
  • Never hardcode keys in source code
  • Don't invent crypto; use established libraries
  • Losing the key means losing the data — back up the key separately

Use the Encryptor/Decryptor on Popupnote

The Encryptor / Decryptor on Popupnote provides a clean tool for encrypting and decrypting text with AES — for protecting messages, notes, and small files with a password. The tool runs in your browser without any account required.