What is encryption and how does it keep my VPN secure?

You rely on encryption every day of your life. It keeps your personal data secure and prevents your private conversations from being intercepted. The moment you are born your life long relationship with encryption begins. For example, if your son or daughter spent any time in a neonatal intensive-care unit (NICU) encryption made it possible for you and your doctor to check up on your baby safely from a smartphone.

The truth is private communication over a distance is only possible because of encryption. The Internet is ten billion different conversations taking place all over the globe, at the same time using the same language to communicate. Encryption is the only thing keeping each conversation private.

Secure VPN Encryption Options

How LiquidVPN uses VPN encryption to protect your data

The theory behind the encryption options we are using errs on the side of security. In other words, any change you make still provides an adequate level of encryption for most people using a VPN.

We picked traditional ciphers for backward compatibility and newly supported ciphers for their performance benefits. If you connect from a router or Raspberry Pi, you can select a faster cipher and see an increase in VPN performance.

How VPN Encryption Works

What is encryption and how does it work?

As a kid, did you ever come up with a secret code or language that only you and your friends knew? That’s encryption in its simplest form.

Encryption uses a translator called a cipher to convert a readable message into a mess. Only with the cipher can you decode the message back to the original form. This way, you can ensure that only people that have the cipher can read the message that you’re sending.

In the case of encryption with computers, the cipher is an algorithm. Algorithms introduce more pieces of information that further scramble the message. An encryption key is a perfect example of this. The cipher algorithm uses information from the key to create the encrypted message. Then, the key becomes necessary to decrypt the message.

For the types of encryption that you’ll encounter with VPNs and SSL, both sides have the encryption key. This is symmetric encryption. That’s why you need to have the encryption keys from the configuration file when you connect to LiquidVPN from Linux or a router. The custom clients for Windows, Mac, and mobile already have them built-in.

Why Encryption Matters

Encryption allows people to send data over the Internet in secret. Encryption relies on algorithms. They scramble the data, making it unreadable to anyone who doesn’t have the keys.

Any good VPN relies on strong encryption. Encryption protects your login to the VPN. Then, it protects your communication with the VPN server.

Without encryption, your computer would send information in plain text with or without a VPN. However, VPNs add encryption, so that does not happen.

Of course, encryption is important outside of VPNs too. If your connection to your online banking website wasn’t encrypted, it would be terrible. Your login information, balance, and account number would all be plainly visible.

The many layers of OpenVPN encryption

OpenVPN Encryption

Different algorithms, or ciphers, rearrange information to encrypt it in a variety of ways. They follow different mathematical procedures that make them more or less secure. The public knows those processes. Even still, someone needs to find an exploit or flaw in the cipher. Then it becomes broken and disused.

There are tons of cipher algorithms out there. Some have been broken, and others haven’t. Right now, the AES algorithms and SHA256 and SHA512 are among the safest OpenVPN ciphers. There are no known exploits against them.

Encryption Bits

Algorithms and encryption keys are both measured in how many bits long they or the result they produce are. More bits equals better security and encryption that’s harder to break.

The standards for measuring bit length are different for keys and algorithms. AES256 is a military-grade encryption algorithm. RSA 2048, meanwhile, is a high-security standard for keys. 2048 might sound like a huge number compared with 256. In reality, they are different algorithms, and you use them for different purposes. They aren’t comparable that way.
A general rule of thumb is to compare the encryption algorithms against each other first. Then you can compare the bit-lengths within the same algorithm. Remember that an increased length leads to longer decryption times.

Data Channel Ciphers

The Data Channel cipher is the inner layer of encryption that protects the data being sent from your computer to a LiquidVPN OpenVPN server. It’s the last line of defense between your data and anyone who would access it. These are the most secure Data Channel ciphers supported by the open source version of OpenVPN

  • AES-256-GCM: In December of 2016 OpenVPN 2.4 was released. It was the first version to support the Galois/Counter Mode (GCM) Ciphers.
  • AES-128-GCM: AES-GCM is an authenticated encryption with
    associated data (AEAD) cipher. GCM ciphers are faster than CBC ciphers and just as secure.
  • AES-256-CBC:  In GCM mode data integrity and privacy (encryption)
    is ensured. In CBC mode encryption is provided without the benefit of authentication.
  • AES-128-CBC: This cipher is the best for embedded OpenVPN devices that do not support the more modern GCM standard.

Data Authentication

Data Authentication is used to ensure that your data arrives unaltered and uncorrupted. It’s mostly used to make sure that an active attacker hasn’t intercepted your data and altered it in some way. LiquidVPN uses SHA512 exclusively for OpenVPN.

Control Channel Ciphers

Control Channel Ciphers are the outer layer of encryption that protects your information. It’s usually best to use the strongest encryption possible. This is because it is your primary defense.

  • AES-256-GCM with HMAC-SHA384: Requires OpenVPN 2.3.3 or later.
  • AES-256-CBC with HMAC-SHA1: Despite using SHA1 this is still considered a safe cipher.

TLS Cipher

It’s important for a VPN to force the use of strong encryption. This can be done by specifying a list of only the most secure TLS ciphers to use. At LiquidVPN, we only select a short list of the absolute best ciphers and enforce a minimum TLS version of 1.2.



RSA Keys

RSA Keys are used for user authentication. The larger and stronger the key, the more secure the connection.

Do not use or settle for 1024 bit keys.


Diffie-Hellman keys are used to establish perfect forward secrecy. They are exchanged between the client and VPN server.

LiquidVPN uses either 2048 or 4096 bit Diffie-Hellman.

TLS Authorization

TLS Authorization helps to block unwanted traffic, like DDoS attacks and adds an additional layer of security, should a flaw be found anywhere in the encryption process.

LiquidVPN uses TLS authorization (tls-auth) 2048 bit

How LiquidVPN uses the best encryption to keep your VPN secure.

VPN Secure

We support several types of VPN, but when it comes to hiding your IP address and preventing someone from listening in on the conversation between your device and the server it is communicating with OpenVPN is the clear winner. OpenVPN supports multiple key sizes, key algorithms, key exchanges, and ciphers. Because there are dozens of options selecting the right combination of speed, privacy, trust, and security is arguably the hardest and most important task of an OpenVPN deployment.

LiquidVPN defaults to what is arguably the most secure VPN encryption options supported by OpenVPN. We realized early on that our users want choices when it comes to VPN connections and encryption. Which is why you can establish a secure tunnel to three different types of VPN topologies including shared, public and Modulating IP Addresses with a range of OpenVPN encryption standards. LiquidVPN lets you modify how your VPN traffic is handled and scrambled. Adjust your VPN encryption to improve performance on a SOHO router or to try the latest AEAD Ciphers supported by OpenVPN.