AES-256 Encryption Explained

What is AES?

The Advanced Encryption Standard (AES) is an encryption method established by the U.S. National Institute of Standards and Technology (NIST) in 2001 as an official standard. It is used worldwide by governments, banks, and companies to protect sensitive data.

The number "256" refers to the key length in bits. The longer the key, the more secure the encryption. AES-256 uses a 256-bit key – that's 2²⁵⁶ possible combinations.

How Secure Is It?

Guessing the 256-bit key itself is hopeless – even the fastest supercomputer would need billions upon billions upon billions of times longer than the universe has existed. That is why attackers do not target the key, but the password from which it is generated. How well that password is protected is shown in the demo below.

From Password to Key

AES-256 requires a key of exactly 256 bits – but you enter a password that may be only 8 characters long. A Key Derivation Function (PBKDF2) generates the actual key from it: your password is combined with a random salt and run through complex calculations one hundred thousand times. The salt – so named because it changes the input like a pinch of salt – ensures that the same password produces a different key each time. It is stored openly alongside the encrypted data and is not a secret. The many iterations are intentionally slow – barely noticeable for you, but a massive obstacle for an attacker.

Enter a password and watch live how a 256-bit key is derived from it – and how data is encrypted with it:

Your Password

8 characters · New password

Salt (random value)

Unique per encryption

→

↓

Key Derivation

PBKDF2

100,000 iterations

→

↓

256-Bit Key

…

64 hex characters = 256 bits

Important: Neither PBKDF2 nor the salt turn a weak password into a strong one – try it above with "1234". The security of your data depends directly on the quality of your password.

Tip: You can use the randomly generated password above as-is. The password check uses the Have I Been Pwned API – only the first 5 characters of the SHA-1 hash are transmitted; your password never leaves the browser in plaintext.

Security in the Cloud

Encrypted files remain secure even in the cloud – the provider only sees unreadable data. This enables end-to-end encryption between your devices. Even in the event of a data breach, your data stays protected.

Application in GrandTotal

GrandTotal uses AES-256 for encrypted company files. Your invoices, estimates, and customer data are encrypted locally on your Mac before being saved. You can store the password in the macOS Keychain.

At a Glance

Global Standard

Used by governments and banks since 2001

Extremely Secure

Practically unbreakable, even with supercomputers

One Password Suffices

Same key for encryption and decryption

Password Quality Crucial

Weak passwords remain weak

Cloud-Safe

Encrypted files stay protected in the cloud