What is AES-256-GCM?
The encryption standard protecting your data in VaultPass — and in banks.
Definition
AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode) is a symmetric encryption algorithm used to protect data at rest and in transit. It is the encryption standard mandated by the U.S. government for TOP SECRET classified information, used by financial institutions worldwide, and deployed in TLS for HTTPS connections.
How It Works
AES-256 uses a 256-bit key, meaning there are 2^256 possible keys — a number larger than the atoms in the observable universe. At current computing speeds, brute-forcing an AES-256 key would take longer than the age of the universe. GCM (Galois/Counter Mode) adds authenticated encryption — meaning any tampering with the ciphertext is detected. This prevents 'bit-flipping' attacks where an attacker modifies encrypted data without knowing the key.
How VaultPass Uses This
Every VaultPass vault is encrypted with AES-256-GCM in your browser before upload, using a fresh random 256-bit key. That key is split with Shamir's Secret Sharing rather than derived from a password — so there is no master password to guess or brute-force. The result: even if our database were breached, your vault ciphertext is mathematically protected.
Common Questions
Has AES-256 ever been cracked?
No. AES-256 has no known practical attacks. It is considered quantum-resistant for the foreseeable future and remains the global standard for highly sensitive data.
What is the difference between AES-128 and AES-256?
AES-128 uses a 128-bit key; AES-256 uses a 256-bit key. Both are considered secure for current threat models. AES-256 provides a higher margin against future attacks, including potential quantum computing advances.