§ Encryption
What Is AES-256 Encryption? A Plain-English Guide for iPhone Users
What is AES-256 encryption, why 256 bits is mathematically uncrackable, and how it actually protects the notes on your iPhone. Honest, technical, no marketing fluff.
Quick answer: AES-256 is a symmetric cipher with a 256-bit key, standardized by NIST in 2001 and used everywhere from US government Top Secret data to the disk encryption on your iPhone. What is AES-256 encryption in one sentence: it is the math function that scrambles your notes into bytes that nobody without the key can unscramble. The key — not the algorithm — is the part you actually have to protect.
What AES-256 actually is
AES stands for Advanced Encryption Standard. It was selected by NIST in 2001 from a public competition and codified as FIPS 197. The winning algorithm was Rijndael, designed by two Belgian cryptographers — Joan Daemen and Vincent Rijmen. AES is a symmetric block cipher: the same key encrypts and decrypts, and it operates on fixed 128-bit blocks of data. The number after AES — 128, 192, or 256 — refers to the key length in bits, not the block size.
The cipher itself is not a secret. The spec is published, every cryptographer on Earth has stared at it, and the open scrutiny is part of why we trust it. AES-256 is not magic. It is just a very large lock. The interesting question is not “how does AES work,” but “why is a 256-bit key out of reach.”
Why 256 bits is mathematically uncrackable
A 256-bit key has 2^256 possible values. Written out, that is roughly 1.16 × 10^77 — a number larger than the count of atoms in the observable universe by some estimates. To brute-force a single AES-256 key by trying every possibility, imagine a hypothetical computer running at one trillion (10^12) attempts per second. Now imagine a billion of those running in parallel. You would still need on the order of 10^48 years to exhaust the keyspace — the universe is about 1.4 × 10^10 years old.
AES-128 is already in the same category. Its 2^128 keyspace is small enough to discuss in finite numbers but still well outside the budget of any nation-state. AES-256 mostly buys you a margin against future cryptanalytic improvements and the partial speedup that quantum search (Grover's algorithm) would offer.
| Attribute | AES-128 | AES-256 |
|---|---|---|
| Key size | 128 bits | 256 bits |
| Possible keys | 2^128 (~3.4 × 10^38) | 2^256 (~1.2 × 10^77) |
| Rounds per block | 10 | 14 |
| Brute-force time (classical) | Infeasible | More infeasible |
| Effective bits vs Grover | 64 bits — borderline | 128 bits — safe |
| Speed | Slightly faster | ~40% slower per block |
| Typical use | iCloud at-rest, TLS | Long-lived secrets, E2EE notes |
In practice, no AES key has ever been brute-forced in the open literature. Real attacks target the surrounding code — weak key derivation, reused initialization vectors, side-channel leaks from CPU timing — not the cipher itself.
How AES-256 protects your notes in practice
A notes app does not encrypt with your password directly. Your password gets fed through a key derivation function — typically PBKDF2 with 100,000+ iterations or Argon2 — which produces the AES-256 key. The derivation deliberately burns CPU time so that even if an attacker steals the encrypted blob, guessing passwords offline becomes painfully slow. Secure Notes uses PBKDF2 at 100,000 iterations and a 12-word recovery seed as a parallel high-entropy fallback.
Each note is then encrypted with AES-256 in an authenticated mode — usually GCM (Galois/Counter Mode). Authenticated encryption gives you both confidentiality (nobody can read it) and integrity (nobody can tamper with it without you noticing). The ciphertext, the IV, and the authentication tag get stored. Your password never gets stored anywhere.
What AES-256 does not protect you against:
- An unlocked phone in the wrong hands. Once you have authenticated, the keys are in memory. AES cannot help you here — biometric lock and short auto-lock timers can.
- Shoulder surfing and screenshots. Decryption happens on screen. That is the whole point. Decrypted content is by definition human-readable.
- A weak password.AES-256 with a key derived from “password123” is still trivially defeated by an offline dictionary attack.
- Backups in the clear. If your app writes plaintext to iCloud Drive or an iTunes backup, the cipher in the app is irrelevant.
AES-256 in Secure Notes vs other apps
Two apps can both claim “AES-256 encryption” and ship wildly different security postures. The differentiators are below the cipher line: who holds the key, how it is derived, what mode is used, and what gets encrypted.
Secure Notes uses AES-256-GCM with a key derived from your master password via PBKDF2 at 100,000 iterations. Encryption happens on-device before any sync. The publisher holds nothing decryptable. This is what people mean by a zero-knowledge architecture. Compare that to apps that advertise “AES-256” but use it only for at-rest server storage with server-held keys — technically true, materially weaker. Our comparison of encrypted notes apps breaks down which apps are which.
Two other quick tells: authenticated mode (GCM beats CBC for tamper resistance) and per-note unique IVs(reusing an IV with the same key is a catastrophic mistake). Reputable apps publish this; sketchy apps wave their hands about “bank-grade.” If you want a deeper dive into how this all maps onto a single iPhone-first app, our private note-taking app guide spells out the day-to-day implications.
Frequently asked: AES-256 encryption
Is AES-256 actually unbreakable?
In practical terms, yes. AES-256 has 2^256 possible keys — roughly 10^77. Brute-forcing a single key at a trillion attempts per second would still take longer than the current age of the universe. No public cryptanalytic attack has materially weakened it since its 2001 standardization. What gets broken in the real world is the surrounding code — bad key derivation, leaked IVs, side channels — not the cipher itself.
What is the difference between AES-128 and AES-256?
Both are the same algorithm with different key sizes. AES-128 uses 128-bit keys and 10 rounds. AES-256 uses 256-bit keys and 14 rounds. AES-128 is already considered uncrackable by classical computers. AES-256 buys you a larger margin and is the safer default for long-lived data like notes you may still want secret in 2050.
Does Apple use AES-256?
Yes. The iPhone's hardware encryption engine uses AES-256 for full-disk encryption tied to the Secure Enclave. iCloud at-rest storage uses AES-128 in most places, with AES-256 for end-to-end encrypted data classes under Advanced Data Protection. Apple's own documentation is in the Apple Platform Security guide, which is the canonical reference if you want the gory detail.
Can quantum computers break AES-256?
Not for the foreseeable future. Grover's algorithm theoretically halves the effective key strength, taking AES-256 from 256 bits to a 128-bit search — still computationally infeasible. Symmetric ciphers like AES are far more quantum-resistant than the RSA and elliptic-curve public-key systems used for key exchange. AES-256 is the post-quantum-safe choice today.
Is AES-256 the same as end-to-end encryption?
No. AES-256 is a cipher — a math function. End-to-end encryption is an architecture choice about who holds the keys. An app can use AES-256 and still be readable by its publisher if the publisher holds the keys. E2EE means the keys are derived and held on your device only, so even the publisher cannot decrypt your data.
How do I know if an app actually uses AES-256?
Read the privacy page and look for specific cipher names — AES-256-GCM, AES-256-CBC. Vague phrases like 'military-grade' or 'bank-level' encryption are a tell that there is no real spec behind the claim. Bonus points if they name the key derivation function (PBKDF2, Argon2) and iteration count. A reputable app will also publish a security overview or third-party audit.
Keep reading
Related guides
Privacy
Encrypted notes on iOS, explained
What end-to-end encryption actually does for the notes on your iPhone.
Comparison
Best encrypted notes apps for iPhone
Secure Notes, Standard Notes, Notesnook, Bear, Apple Notes — head-to-head.
Encryption
Zero-knowledge architecture, explained
What 'zero-knowledge' actually means, and how to spot a fake claim.