AES vs RSA Encryption
AES vs RSA: how symmetric and asymmetric encryption differ, when to use each, and how they combine in real systems.
Symmetric vs asymmetric: the core difference
AES and RSA are not competitors solving the same job. They live at different layers:
- AES-256 is a symmetric cipher:
- One key for both encryption and decryption.
- Very fast, suitable for encrypting large bodies of data.
- RSA-2048 is an asymmetric algorithm:
- A public key for encryption and a private key for decryption.
- Orders of magnitude slower, mainly used for key exchange and signatures.
In real systems, you almost never choose “AES or RSA.” You use AES for data and RSA (or other public-key methods) to move or authenticate keys. Confusing those roles is how you end up with slow, brittle designs.
In Inkrypt, we focus on the symmetric side: encrypting notes with AES-256-GCM in the browser, and deriving keys from passwords using PBKDF2 (310k iterations) via the Web Crypto API.
When to use AES
You use AES when:
- You need to encrypt arbitrary amounts of data: files, messages, notes, backups.
- You can safely manage a symmetric key on both ends.
- You care about both confidentiality and integrity.
Modern practice:
- AES in Galois/Counter Mode (GCM) gives:
- Confidentiality: the content is unreadable without the key.
- Integrity and authenticity: tampering is detected via an authentication tag.
- Use a fresh random IV for each encryption.
- Keep keys out of logs, URLs, and analytics.
In a browser-based system like Inkrypt:
- The Web Crypto API provides AES-GCM primitives.
- Keys are derived from user passwords with PBKDF2 at 310k iterations.
- Notes are encrypted with AES-256-GCM per save, using new IVs.
That’s what does the real bulk encryption work.
When to use RSA
You use RSA when:
- You want to distribute keys or secrets without a pre-shared secret.
- You need digital signatures to prove authenticity.
- You’re implementing or using a protocol that wraps symmetric keys in asymmetric crypto.
Typical uses:
- Key encapsulation:
- Generate a random symmetric key (for example, for AES-256-GCM).
- Encrypt that key with a recipient’s RSA public key.
- Send the encrypted key; only the private key holder can unwrap it.
- TLS handshakes (in older or specific configurations):
- RSA can be used to negotiate session keys or authenticate servers.
For data at rest, you rarely encrypt entire blobs with RSA-2048; it’s slow and size-limited. Instead, you:
- Encrypt data with AES-256-GCM.
- Encrypt the AES key with RSA-2048.
- Store both together.
That hybrid approach is the norm in protocols and systems that combine both worlds.
Why AES is used inside zero-knowledge apps like Inkrypt
Zero-knowledge apps that run in the browser care about a few properties:
- Performance: crypto must be fast enough to run on user hardware.
- Standardisation: algorithms should match what auditors expect.
- Platform support: rely on safe primitives exposed by the runtime.
AES-256-GCM via the Web Crypto API is a good fit:
- Widely supported in modern browsers.
- Hardware-accelerated on most platforms.
- Provides authenticated encryption.
Key derivation is handled separately:
- From user passwords using PBKDF2 with 310k iterations.
- Purely in the browser; passwords never leave the device.
We do not use RSA inside Inkrypt’s core note encryption because:
- There’s no public-key identity or PKI to manage.
- Notes are encrypted per password, not per long-lived keypair.
- Symmetric-only with strong KDF is simpler to reason about and implement correctly in this context.
If you integrate Inkrypt-style notes into a larger system, you might use RSA or other public-key mechanisms at a different layer—for example, to exchange note passwords or wrap keys—but not for the core bulk encryption.
Performance and security trade-offs: AES-256 vs RSA-2048
On performance:
- AES-256-GCM is designed to be fast on modern CPUs.
- RSA-2048 is dramatically slower and scales poorly with message size.
On security:
- AES-256, when used correctly, is currently considered safe against classical adversaries.
- RSA-2048 is widely deployed but more structurally exposed to future quantum attacks; upgrading generally means moving to larger key sizes or post-quantum schemes.
On threat models:
- For note encryption, file storage, and backups, AES-256-GCM with strong keys and correct IV handling is the main workhorse.
- For identity, signing, and key exchange between parties with no pre-shared secrets, RSA (or elliptic-curve alternatives) is the tool you reach for.
The right design uses both where they make sense instead of trying to force one algorithm into every role.
How this plays with browser-based encryption
In the browser:
- The Web Crypto API offers:
- AES-GCM for symmetric encryption.
- PBKDF2 for key derivation.
- Various public-key algorithms if you need them.
- Keeping secrets in JS space is fragile, but using Web Crypto correctly is significantly safer than hand-rolled crypto.
Inkrypt leans on:
- PBKDF2 with 310k iterations to derive AES keys from passwords.
- AES-256-GCM with random IVs per save for note content.
- A strict zero-knowledge model: passwords and keys never leave the browser; servers store only ciphertext and parameters.
For more about that approach, see:
- “Zero-knowledge encryption: what it actually means when we can't see your data”
- “Why we encrypt in the browser (and what happens to your password)”
FAQ: AES vs RSA encryption
Q1. Is AES more secure than RSA?
They solve different problems. AES-256 is a symmetric cipher for encrypting data; RSA-2048 is an asymmetric algorithm for keys and signatures. You usually use AES for bulk data and RSA to protect or exchange AES keys, not choose one instead of the other.
Q2. Why not encrypt everything with RSA instead of AES?
RSA is much slower and has size limits. Encrypting large payloads directly with RSA-2048 is inefficient and unnecessary. The standard pattern is to encrypt data with AES-256-GCM and then encrypt the AES key with RSA.
Q3. Which one does Inkrypt use?
Inkrypt uses AES-256-GCM for encrypting notes in the browser and PBKDF2 with 310k iterations to derive keys from passwords, all via the Web Crypto API. We do not rely on RSA for core content encryption in the product.
Q4. How do quantum computers affect AES vs RSA?
Large-scale quantum computers would weaken RSA-2048 more dramatically than AES-256. Post-quantum work focuses heavily on replacing or augmenting public-key algorithms; symmetric algorithms like AES can often be kept with adjusted parameters.
Q5. If I only care about encrypting files, which should I use?
Use AES-256-GCM (or another modern authenticated symmetric cipher) with strong keys and correct IV handling. Public-key tools like RSA are for key exchange and signatures, not for bulk file encryption.
Where to go next
To see how AES and strong key derivation show up in a real product:
- Read “Zero-knowledge encryption: what it actually means when we can't see your data”.
- Read “Why we encrypt in the browser (and what happens to your password)”.
If you want a practical example of AES-based encryption in the browser, try Inkrypt at https://www.inkrypt.online and see how zero-knowledge, client-side encrypted notes behave in day-to-day use.