Article
Hash vs Encryption vs Encoding: What Each One Actually Does
6 min read
Introduction: Three Words People Constantly Mix Up
Few topics in computing get confused as often as hashing, encryption and encoding. They sound similar, they all turn readable data into something that looks scrambled, and they are frequently swapped for one another in conversation, code reviews and even security audits. But they are three completely different things, built for three different jobs. Mixing them up is not a harmless slip of vocabulary — it leads to real mistakes, like assuming data is protected when it is wide open, or trying to "reverse" something that can never be reversed. This guide draws a clear line between the three. If you are starting from the very beginning, our explainer on what a hash is and how digital fingerprints work is a useful companion read.
Hashing: One-Way, Fixed-Length, for Integrity
Hashing takes an input of any size — a one-line message or a ten-gigabyte disk image — and produces a short, fixed-length fingerprint called a hash or digest. The defining feature is that it is one-way: there is no key, no process, and no trick that turns the hash back into the original input. You cannot get the input back, by design. Change a single byte of the input and the hash changes completely, which is exactly why hashing is the tool of choice for integrity: record a file's hash today, recompute it later, and a matching value proves the file is untouched. Hashing is what powers password storage, download verification and digital-evidence checks. Note that not every algorithm is still safe for security use — see why MD5 and SHA-1 are broken and why modern choices like SHA-256 matter.
Encryption: Two-Way, with a Key, for Confidentiality
Encryption is built for the opposite of permanence — it is deliberately reversible, but only by the right person. It scrambles readable data (plaintext) into unreadable ciphertext using a secret key, and the holder of that key can reverse the process to recover the original exactly. The goal is confidentiality: keeping data secret from anyone who does not have the key. Without the key the ciphertext is useless; with the key it comes back perfectly. This is how messaging apps protect chats, how laptops protect their disks, and how websites protect data in transit. The key — not the algorithm — is the secret, and protecting that key is the whole game.
Encoding: Reversible, No Secret, Just a Format Change
Encoding is the odd one out, because it has nothing to do with security at all. It simply converts data from one format into another so it can travel safely through systems that expect a particular shape — for example, turning raw bytes into text-safe characters with Base64. Encoding is fully reversible and uses no secret key whatsoever; the scheme is public and published, so anyone can decode it instantly. Base64, URL-encoding and hex are all encodings. They make data portable, not private. If you ever catch yourself thinking encoding "hides" something, stop — it does not.
A Side-by-Side Comparison
Put the three next to each other and the differences become obvious. The questions that matter are: what is it for, can it be reversed, does it need a key, and what does the output look like.
| Hashing | Encryption | Encoding | |
|---|---|---|---|
| Purpose | Integrity (prove unaltered) | Confidentiality (keep secret) | Portability (change format) |
| Reversible? | No — one-way | Yes — with the key | Yes — by anyone |
| Needs a key? | No | Yes — a secret key | No secret (public scheme) |
| Output | Fixed-length digest | Variable-length ciphertext | Reformatted data (e.g. Base64) |
Common Mistakes to Avoid
Two errors show up again and again. The first is treating Base64 as encryption — storing a password, token or document in Base64 and believing it is protected. It is not; anyone can decode it in one step, because encoding has no secret. The second is talking about "decrypting" a hash. A hash is one-way, so there is nothing to decrypt and no key that could do it. So-called "hash decryption" is really just guessing inputs, hashing each guess, and watching for a match — which only works against weak or short values and is not reversal at all. If a sentence treats a hash as something you can undo, the sentence is wrong.
Where Each One Belongs
Choosing correctly is simple once the purposes are clear. Reach for hashing when you need to prove that something has not changed — verifying a downloaded file, storing passwords safely, or producing an evidence-integrity certificate that shows a file is untampered. Reach for encryption when you need to keep data secret from everyone except an authorised keyholder — protecting a disk, a database column or a network connection. Reach for encoding only when you need to move data safely between systems that expect a particular text format, never for protection. Get this matching right and most "security" bugs around these three concepts simply disappear.
Frequently Asked Questions
What is the main difference between hashing, encryption and encoding?
Hashing is one-way: it turns any input into a fixed-length fingerprint that cannot be reversed back to the
original, and it is used to prove integrity. Encryption is two-way: it scrambles data with a secret key so
only a keyholder can reverse it, and it is used for confidentiality. Encoding is also two-way but uses no
secret at all: it simply changes a data format, such as Base64, so it offers no security and anyone can
reverse it.
Can you reverse a hash to get the original input back?
No. A cryptographic hash is designed to be one-way, so there is no key or process that turns a hash back
into the original file or text. People sometimes say they will "decrypt" a hash, but that is impossible.
The closest anyone can do is guess inputs, hash each guess, and look for a match, which only works for weak
or short inputs and is not actual reversal.
Is Base64 a form of encryption?
No. Base64 is encoding, not encryption. It rearranges bytes into a text-safe format using a public, fixed
scheme with no secret key, so anyone can decode it instantly. Treating Base64 as a way to hide or protect
data is a common and serious mistake. If you need confidentiality, use real encryption with a key; if you
only need integrity, use hashing.
Which should I use to verify a file has not been altered?
Use hashing. Compute a hash such as SHA-256 over the file when you record it, then recompute it later and
compare. If the two hashes match, the file is unchanged; if even one byte differs, the hash changes
completely. Encryption and encoding do not answer the integrity question, which is exactly what hashing is
built for.
Do hashing and encoding need a key like encryption does?
No. Only encryption uses a secret key, which is what makes it reversible by the keyholder and confidential
to everyone else. Hashing uses no key and is deliberately irreversible. Encoding also uses no secret, only
a public, published scheme, which is why it is reversible by anyone and provides no protection at all.
Conclusion
Remember the one-line version: hashing proves integrity and cannot be reversed, encryption protects secrecy and can be reversed with a key, and encoding only changes format and protects nothing. Keep those three jobs straight and you will avoid the mistakes that catch out even experienced engineers. The easiest way to make hashing's one-way nature click is to watch it happen: drop a file into e-Dex — the free, offline Digital Evidence Integrity Suite, and see an irreversible hash computed on your own machine. Change one character and watch the entire fingerprint change, with no way back. That is hashing — and now you know exactly how it differs from the other two.