What Is AES?
AES stands for Advanced Encryption Standard. It is a symmetric block cipher (meaning the same key is used for both encryption and decryption) standardized by the U.S. National Institute of Standards and Technology (NIST) in 2001. It replaced the older DES and 3DES standards and has since become the dominant encryption algorithm used in virtually every security-sensitive application on the planet.
When you connect to a bank website over HTTPS, AES encrypts the connection. When you store files in an encrypted vault, AES is almost certainly doing the work. When intelligence agencies protect classified information at rest, AES-256 is the standard. It is not a niche cryptographic algorithm; it is the foundation of modern digital security.
What Does "256" Mean?
The number refers to the key length in bits. AES supports three key sizes: 128, 192, and 256 bits. A 256-bit key means there are 2^256 possible keys, approximately 1.16 × 10^77. To give you a sense of scale: there are an estimated 10^80 atoms in the observable universe. The number of possible AES-256 keys approaches that scale.
A brute-force attack (trying every possible key until you find the right one) against AES-256 is computationally infeasible not just with today's hardware, but with any conceivable hardware. Even if you had every atom in the universe working as a computing element since the Big Bang, you would not come close to exhausting the keyspace.
AES-128 is also considered unbreakable by brute force, but AES-256 provides an additional security margin against theoretical future attacks, including potential advances in quantum computing.
What Is GCM?
GCM stands for Galois/Counter Mode. It is a mode of operation for block ciphers that provides two things simultaneously: confidentiality (the standard encryption that makes plaintext unreadable) and authenticity (a cryptographic tag that detects any modification to the ciphertext).
The authentication component is what makes GCM particularly valuable for backup applications. Without it, an attacker who obtained your encrypted backup could potentially modify it in ways that, when decrypted, produce subtly corrupted data: a different seed phrase that they control, or one that decrypts to garbage. GCM's authentication tag prevents this: if a single bit of the ciphertext has been altered, decryption fails completely and you receive an error rather than corrupted data.
This is called Authenticated Encryption with Associated Data (AEAD). AES-256-GCM is currently the recommended AEAD construction for most security applications.
How Does AES-256-GCM Actually Work?
You do not need to understand the mathematics to use AES-256-GCM correctly, but a conceptual understanding helps you evaluate claims made by software tools.
The key and IV
AES-256-GCM requires a 256-bit key and a 96-bit Initialization Vector (IV), also called a nonce. The IV must be unique for every encryption operation; reusing an IV with the same key is a serious security vulnerability that can expose the key entirely. Quality implementations generate a random IV for every encryption.
The encryption process
AES operates on 128-bit blocks of data. GCM mode uses a counter to generate a keystream, which is XORed with the plaintext to produce ciphertext. The algorithm applies 14 rounds of substitution, permutation, and mixing operations (for 256-bit keys) to make the relationship between key and output computationally opaque.
The authentication tag
After encryption, GCM produces a 128-bit authentication tag derived from the ciphertext, the key, and any additional associated data. This tag is stored alongside the ciphertext. During decryption, the tag is recomputed and compared; if they do not match, decryption is rejected and an error is returned.
The Role of PBKDF2 in Seed Phrase Encryption
AES-256 requires a 256-bit key. Human-chosen passwords are not 256-bit keys; they are relatively short strings with limited entropy. Directly using a password as an AES key would be extremely weak because attackers could try millions of password guesses per second.
This is where PBKDF2 (Password-Based Key Derivation Function 2) comes in. PBKDF2 takes your password and transforms it into a proper 256-bit key through a computationally expensive process involving hundreds of thousands of iterations. SeedCrypt uses PBKDF2-SHA512 with 600,000 iterations, meaning each password guess requires 600,000 hash computations. An attacker trying to brute-force passwords is slowed down by exactly that factor: they can try roughly 1 guess per 600,000 operations instead of 1 guess per operation.
The combination of AES-256-GCM encryption with PBKDF2-SHA512 key derivation and a random salt is the current industry standard for symmetric encryption of sensitive data from a password.
Is AES-256 Safe Against Quantum Computers?
Quantum computers pose a genuine threat to asymmetric cryptography (RSA, ECC, the algorithms used in SSL certificates and blockchain address generation). But their impact on symmetric encryption like AES is significantly weaker.
Grover's algorithm, the most relevant quantum attack on symmetric ciphers, effectively halves the key security, meaning AES-256 would be equivalent to AES-128 against a sufficiently powerful quantum computer. AES-128 is still considered computationally secure against brute force, and AES-256 retains a substantial security margin even under this model.
Practical quantum computers capable of running Grover's algorithm at scale against AES-256 do not exist today and are not expected in the near term. AES-256 remains the recommended standard for long-term data protection.
Why Not Use Something Simpler?
You may encounter tools that use simpler encryption methods: password-protected ZIP files, older ciphers like 3DES, or home-grown "encryption" schemes. The problem with these approaches is that they often have known weaknesses, poor key derivation, or implementation flaws that make them vulnerable to attacks far simpler than a full brute-force against the keyspace.
AES-256-GCM with PBKDF2-SHA512 is not overcomplicated. It is the minimal set of building blocks needed to do this correctly. The crypto community's learned lesson from decades of broken simpler systems is: use the standard, and use it correctly. There is no benefit to using a "lighter" approach for backup encryption where performance is irrelevant and getting it wrong has catastrophic consequences.
SeedCrypt
Encrypt your seed phrases. Offline. Forever.
AES-256-GCM · PBKDF2-SHA512 · No cloud · Windows & Android
Get SeedCrypt from €29Conclusion
AES-256-GCM is the gold standard for symmetric encryption. It is the cipher used to protect classified government communications, financial transactions, and sensitive personal data worldwide. Its security derives not from obscurity but from mathematical properties that have been scrutinized intensively for over two decades without a practical break being found.
For seed phrase protection, AES-256-GCM with proper key derivation means that an attacker who obtains your encrypted backup, even if they have it for years and apply significant computing resources, cannot recover your seed phrase without the password. That is exactly the property you want from a long-term archival encryption scheme.
Read our complete guide on how to encrypt your seed phrase to see how to apply this in practice.