Many companies tout “military-grade encryption” to protect your data. If it’s good enough for the military, it must be the best—right? Well, kind of. “Military-grade encryption” is more of a marketing term that doesn’t have a precise meaning.
Let’s start with the basics. Encryption is, essentially, a way to take information and scramble it, so it looks like gibberish. You can then decrypt that encrypted information—but only if you know how. The method of encrypting and decrypting is known as a “cipher,” and it usually relies on a piece of information known as a “key.”
For example, when you visit a website encrypted with HTTPS and sign in with a password or provide a credit card number, that private data is sent over the internet in a scrambled (encrypted) form. Only your computer and the website you’re communicating with can understand it, which prevents people from snooping on your password or credit card number. When you first connect, your browser and the website perform a “handshake” and exchange secrets that are used for encryption and decryption of the data.
Rebranding Standard Encryption
Whether you’re logging into your online banking, using a virtual private network (VPN), encrypting the files on your hard drive, or storing your passwords in a secure vault, you obviously want stronger encryption that’s harder to crack.
To put you at ease and generally sound as secure as possible, many services tout “military-grade encryption” on their websites and in advertisements. It sounds strong and battle-tested, but the military doesn’t actually define something called “military-grade encryption.” That’s a phrase dreamt up by marketing people. By advertising encryption as “military-grade,” companies are just saying that “the military uses it for some things.”
What Does “Military Grade Encryption” Mean?
Dashlane, a password manager that has advertised its “military-grade encryption,” explains what this term means on its blog. According to Dashlane, military-grade encryption means AES-256 encryption. That’s the Advanced Encryption Standard with a 256-bit key size.
As Dashlane’s blog points out, AES-256 is “the first publicly accessible and open cipher approved by the National Security Agency (NSA) to protect information at a “Top Secret” level.”
AES-256 differs from AES-128 and AES-192 by having a larger key size. That means a bit more processing power used for performing the encryption and decryption, but all that extra work should make AES-256 even harder to crack.
Bank-Level Encryption Is the Same Thing
“Bank-level encryption” is another term that’s thrown around a lot in marketing. It’s basically the same thing: AES-256 or perhaps AES-128, as most banks use those. In fact, some banks advertise their “military-grade encryption.”
This is good encryption in widespread use. It’s often considered the best, most secure option. Timothy Quinn writes that both “military-grade encryption” and “banking-grade encryption” should just be called “industry-standard encryption.”
AES-256 is Good, But AES-128 is Good, Too
AES-256 has been adopted widely by many services and many pieces of software. In fact, you’re likely using this “military-grade encryption” all the time. You just don’t know it because most services don’t even call it “military-grade encryption.”
For example, modern web browsers support AES-256 when communicating with secure HTTPS websites. We use “modern” very loosely here—even Internet Explorer got AES-256 support with Internet Explorer 8 for Windows Vista. Chrome, Firefox, and Safari, of course, support it, too. You’re probably connecting to all kinds of websites that use “military-grade encryption” without knowing it. The built-in BitLocker encryption on Windows uses AES-128 by default but can be configured to use AES-256. It’s not “military-grade” by default, but AES-128 should still be very secure and resistant to attack—and it can be military-grade.
Password manager 1Password made the switch back to AES-256 from AES-128 back in 2013. 1Password’s Jeffrey Goldberg explained the company’s rationale at the time. He argued that AES-128 was basically as secure, but many people felt more secure with that larger and number and that “military-grade encryption.” Ultimately, whether you’re using AES-256, AES-128, or AES-192, you’ve got pretty secure encryption. One may be “military-grade”—largely a made-up term—but that doesn’t mean much.
Encryption as Munitions
There’s one last interesting point here. If you’re wondering why encryption got so tangled up with the military, you should know that it’s less tangled up with the military than ever.
Cryptography has been an important part of warfare for a long time. It’s a way a military can securely transmit messages without its enemies intercepting the messages. Even if the enemy intercepts the message, it must decrypt the message, so it’s actually useful. The ancient Romans were using ciphers to disguise messages two thousand years ago under Julius Caesar. In World War II, Nazi Germany employed the Enigma machine to encode its messages. This was famously cracked by Britan and its allies, who used the information gleaned from those encrypted messages to help win the war.
It should be no surprise, then, that many governments have regulated cryptography—specifically, its export to other countries. Up until 1992, cryptography was on the U.S. Munitions List as an “Auxillary Military Equipment.” You could create and possess encryption technologies within the USA but not export them to other countries. The Netscape web browser once had two different versions: A domestic US edition with 128-bit encryption and an “international” version with 40-bit encryption (the maximum allowed.) Regulations were modified in the mid 90s to make it easier to export of encryption technologies from the US.
Encryption has long been affiliated with the military, so it’s no surprise that the term “military-grade encryption” really seems to speak to people. That might be one reason why marketing campaigns keep using it.