RandomKeygen
Encryption*10 min read

Encryption Explained: AES, RSA, and When to Use Each

A practical guide to symmetric vs asymmetric encryption, key sizes, and choosing the right approach for your application.

Two Types of Encryption

All modern encryption falls into two categories:

Symmetric (AES)

Same key encrypts and decrypts. Fast. Used for bulk data.

encrypt(data, key) → ciphertext
decrypt(ciphertext, key) → data

Asymmetric (RSA)

Key pair: public encrypts, private decrypts. Slower. Used for key exchange.

encrypt(data, publicKey) → ciphertext
decrypt(ciphertext, privateKey) → data

In practice, most systems use both: RSA to securely exchange an AES key, then AES for the actual data encryption.

AES: The Workhorse

AES (Advanced Encryption Standard) is the most widely used encryption algorithm. It's what protects your HTTPS connections, encrypted drives, and password vaults.

Key SizeSecurity LevelUse Case
AES-128Secure until ~2030+General use, slightly faster
AES-192Rarely usedMiddle ground, not common
AES-256RecommendedHigh security, future-proof
Node.js AES-256 Example
const crypto = require('crypto');

// Generate a random 256-bit key
const key = crypto.randomBytes(32);  // 32 bytes = 256 bits
const iv = crypto.randomBytes(16);   // Initialization vector

// Encrypt
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
let encrypted = cipher.update('secret data', 'utf8', 'hex');
encrypted += cipher.final('hex');
const authTag = cipher.getAuthTag();

// Decrypt
const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
decipher.setAuthTag(authTag);
let decrypted = decipher.update(encrypted, 'hex', 'utf8');
decrypted += decipher.final('utf8');
Generate AES Key

RSA: For Key Exchange and Signatures

RSA uses a key pair: share your public key with everyone, keep your private key secret. Anyone can encrypt a message with your public key, but only you can decrypt it.

RSA Key Sizes

  • * 2048 bits - Minimum acceptable, equivalent to ~112-bit symmetric
  • * 3072 bits - Recommended for 2030+
  • * 4096 bits - High security, slower operations

RSA is too slow for encrypting large amounts of data. Instead, it's used to:

  • * Key exchange - Securely send an AES key to someone
  • * Digital signatures - Prove a message came from you
  • * Authentication - SSH keys, code signing
Generate RSA Key Pair

Hybrid Encryption in Practice

Here's how HTTPS, email encryption, and most secure systems actually work:

1. Alice generates a random AES key (session key)
2. Alice encrypts the AES key with Bob's RSA public key
3. Alice encrypts her message with the AES key
4. Alice sends: [RSA-encrypted AES key] + [AES-encrypted message]
5. Bob decrypts the AES key with his RSA private key
6. Bob decrypts the message with the AES key

This gives you the best of both worlds: RSA's secure key exchange and AES's speed for bulk encryption.

Quick Decision Guide

ScenarioUse
Encrypting files on diskAES-256-GCM
Encrypting database fieldsAES-256-GCM
Secure communication between two partiesRSA + AES (hybrid)
Signing JWTsRS256 (RSA) or HS256 (HMAC)
SSH authenticationEd25519 or RSA-4096
Password hashingbcrypt or Argon2 (not AES/RSA!)

Common Mistakes to Avoid

Using ECB Mode

ECB (Electronic Codebook) encrypts identical blocks identically, leaking patterns. Always use GCM, CBC with HMAC, or another authenticated mode.

Reusing IVs/Nonces

Each encryption operation needs a unique IV. Reusing them can completely break the encryption. Generate randomly or use a counter.

Rolling Your Own Crypto

Use well-tested libraries (libsodium, OpenSSL, Web Crypto API). Cryptography is full of subtle pitfalls that experts miss.