Fexyn
Fexyn

Glossary

What is encryption

The math that turns readable data into ciphertext that only someone with the right key can decode.

Encryption is the process of taking readable data (plaintext) and turning it into something that looks random (ciphertext) using a key. With the key, ciphertext goes back to plaintext. Without the key, ciphertext is statistically indistinguishable from noise.

This is the math underneath every VPN, every HTTPS connection, every encrypted message. The mechanism is universal even when the use cases are different.

Symmetric vs asymmetric

There are two broad categories:

  • Symmetric encryption — same key encrypts and decrypts. Fast. Used for the bulk data inside a VPN tunnel. Examples: AES-256, ChaCha20-Poly1305.
  • Asymmetric cryptography — different keys for encryption/decryption or signing/verification (a public/private key pair). Slow. Used to negotiate a symmetric key without ever transmitting it in the clear. Examples: RSA for encryption, X25519 (Curve25519) for key exchange, Ed25519 for signatures.

A VPN handshake uses asymmetric crypto to establish trust and exchange a symmetric key, then switches to symmetric crypto for the rest of the session because it's orders of magnitude faster.

AES-256: what the marketing actually means

When a VPN says "AES-256 encryption," it means AES with a 256-bit key. AES is a block cipher standardised by NIST in 2001, used everywhere — banking, government, the device you're reading this on. 256-bit keys produce a key space of 2²⁵⁶, which is large enough that brute-forcing it is computationally impossible with current physics.

"Military-grade encryption" is a marketing phrase. AES-256 is what governments, militaries, banks, and your VPN all use. It's not exclusive to anyone. The phrase is meant to sound serious. The math is fine without the marketing.

What encryption doesn't fix

Encryption keeps data confidential while in transit. It doesn't:

  • Stop you from being identified by other signals (browser fingerprint, login cookies, your typing rhythm).
  • Protect against malware on your own device.
  • Prevent the destination server from logging what you sent it.
  • Stop DPI from identifying that you're using a VPN, even if the contents are unreadable.

Encryption is the floor. Above it, you need no-logs policy, DNS leak prevention, traffic obfuscation, and a working kill switch.

What Fexyn uses

Different protocols use different ciphers:

  • WireGuard — ChaCha20-Poly1305 (AEAD)
  • VLESS Reality — TLS 1.3 with the standard suite (typically AES-256-GCM or ChaCha20-Poly1305)
  • OpenVPN — TLS 1.3 control channel + AES-256-GCM data channel

All three are modern AEAD ciphers — authenticated encryption that detects tampering, not just confidentiality. Read more in the security overview and the protocols comparison.

Try Fexyn free for 7 days — encryption is the easy part; what we do above it matters more.

Related terms

Try Fexyn free for 7 days

Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.

See pricing
What is encryption — What It Is and Why It Matters | Fexyn VPN