What is AES-256-GCM?
AES-256-GCM is a standard authenticated encryption algorithm. AES is the cipher, 256 is the key length in bits, and GCM is a mode that both scrambles the data and detects tampering — if the encrypted data has been altered, decryption refuses rather than returning something wrong.
How AES-256-GCM works
AES has been the standard block cipher since 2001, standardised by NIST after a public, years-long selection process — it’s the most analysed cipher in existence, and at a 256-bit key length, brute force is not a conversation. Your browser already runs it constantly: most HTTPS connections you make today are encrypted with exactly this algorithm.
GCM — Galois/Counter Mode — is what turns encryption into authenticated encryption. Alongside the ciphertext it produces a short authentication tag, computed over the encrypted data. On decryption the tag is checked first; if even one bit of the ciphertext was flipped or swapped, the check fails and nothing is returned. Without that property, encrypted data can be silently corrupted or spliced — scrambled is not the same as safe.
GCM has one strict rule: the nonce — the number-used-once fed into each encryption — must never repeat under the same key. Handled correctly, that’s a bookkeeping detail; it’s the kind of detail implementations are judged on.
Nothing about the algorithm is secret — the design is public and has been attacked in the open for a quarter of a century. That’s the property you want: the security lives entirely in the key, which is why key handling, not cipher choice, is where encryption schemes succeed or fail. The 256 sets the size of the key space; every added bit doubles it.
In Twiga
AES-256-GCM is the cipher that seals your channel list. The sealing runs in your browser through WebCrypto — the browser’s built-in cryptography — using keys derived via HKDF from a 256-bit key only you hold. What reaches our database is ciphertext; a stolen copy of it is a box of locked envelopes.
The DEK that does the sealing is itself wrapped — under your key, and again under your recovery code — so either opener works without re-encrypting the list.
The GCM tag is doing real work here: a sealed channel URL that’s been swapped or altered fails its check and refuses to open, instead of quietly decrypting to the wrong thing.
Your list, sealed at set-up: create your key