SUMMARY: PIA and ExpressVPN offer the strongest encryption and security features available, with granular options to choose the settings that work for you. However, ExpressVPN pulls ahead of PIA due to its exclusive Lightway protocol and diskless TrustedServer technology.
ExpressVPN Encryption & Security Rating: 9.7
PIA Encryption & Security Rating: 8.8
Encryption & Security Winner: ExpressVPN
The table below compares ExpressVPN and PIA’s encryption strength, VPN protocols, and security features side-by-side:
Security Feature |
ExpressVPN |
Private Internet Access |
VPN protocols |
IKEv2/IPSec, L2TP/IPSec, OpenVPN (TCP/UDP), Lightway, PPTP |
IKEv2/IPSec, L2TP/IPSec, OpenVPN (TCP/UDP), PPTP |
Encryption Cipher |
AES-256 |
AES-256 |
Kill Switch |
Yes |
Yes |
Leak Protection |
DNS, IPv6, WebRTC |
DNS, IPv6, WebRTC |
First-Party DNS Servers |
Yes |
Yes |
Perfect Forward Secrecy |
Yes |
Yes |
Split Tunneling |
Yes |
Yes |
Tor over VPN |
Yes |
Yes |
Diskless servers |
Yes |
No |
Open-Source Apps |
Yes |
Yes |
Comparing ExpressVPN and PIA’s security offering side-by-side.
When it comes to encryption, both ExpressVPN and Private Internet Access are equal in almost every regard. If you’re just looking to stay safe on public WiFi, both options will suit you well.
Both VPNs offer a remarkable level of control over the way your data is encrypted. They use AES-256-CBC encryption, with an additional option for AES-256-GCM on PIA. This is combined with Perfect Forward Secrecy, a 4096-bit RSA key, and SHA-512 HMAC authentication, which verifies your connection to the server and prevents interference with the data being transmitted.
In short, PIA and ExpressVPN offer the strongest encryption available, with granular options to choose the settings that work for you.
The most secure settings aren’t selected by default in PIA, though, so we recommend changing them to OpenVPN UDP, AES-256-GCM, and RSA-2048 in the encryption settings menu.

The PIA encryption settings menu.
PIA Supports WireGuard but ExpressVPN Offers Exclusive Access to Lightway
It’s a close call when it comes to VPN tunneling protocols, too. Both VPNs let you manually choose between OpenVPN, IKE2, and L2TP/IPsec protocols, with the option to pick between UDP and TCP connections.
PIA supports WireGuard, a secure and lightweight protocol that has grown in popularity in recent years. ExpressVPN is missing WireGuard functionality, but it makes up for it with its own open-source protocol called Lightway.
Lightway is exclusive to ExpressVPN. It uses AES or ChaCha20 encryption and performs extremely well in our speed and security tests. With Lightway, you’ll consume less bandwidth and battery power than other VPN protocols due to its small codebase.

You can access the Lightway protocol in ExpressVPN’s ‘Protocol’ preferences menu.
PIA’s protocol selection doesn’t fall far behind, but support for Lightway pushes ExpressVPN slightly ahead when it comes to connection protocols.
PIA’s WireGuard performance also isn’t as impressive as some other top VPNs. Its OpenVPN speeds are often faster, which is contrary to what we usually see.
If you want a quick VPN that supports WireGuard, NordVPN’s speeds are faster than PIA’s.
Kill Switch & Leak Testing
We ran the mobile and desktop versions of both VPNs through IP, DNS, and WebRTC leak tests and found that our identity and location were consistently protected.
Private DNS servers and leak protection are built into both VPN services by default, but you’ll have to enable DNS leak protection manually in PIA’s Windows application, which is an unnecessary shortcoming.
Both services also include an essential VPN kill switch, which automatically disconnects you from the internet if the VPN connection drops, preventing your public IP address from being exposed.
While Private Internet Access includes a kill switch on all versions of its software, ExpressVPN does not include a kill switch on its iOS application. This is especially important if you mainly use a VPN on your iPhone or iPad.
ExpressVPN’s TrustedServer Technology Is a Clear Advantage
When it comes to encryption strength and tunneling protocols, ExpressVPN and PIA are mostly equal. However, ExpressVPN’s proprietary TrustedServer technology presents one clear advantage over PIA when it comes to security.
TrustedServer is ExpressVPN’s name for RAM-only servers, which ensure that no data is ever written to the hard drive of a VPN server. In other words, ExpressVPN is physically incapable of storing data logs because they are constantly and automatically wiped out.
This is an industry-first feature that is unique to ExpressVPN. It offers a significant security advantage over competing VPN services like PIA, which uses traditional hard drives that retain data until it is erased and written over.
ExpressVPN vs PIA: Additional Security Features Compared
For the vast majority of VPN users, additional features are not particularly useful. The most important thing about a VPN’s security is its encryption and protocol strength, which both ExpressVPN and Private Internet Access do very well.
If you’re an advanced VPN user looking for extra features to play with, you’ll find more options with PIA. However, they’re not always effective. ExpressVPN may have fewer additional tools, but those it has are very reliable.
Here’s a table comparing the additional features provided by ExpressVPN and PIA:
Additional Security Feature |
ExpressVPN |
PIA |
Ad Blocker |
No |
Yes |
Dedicated IP Addresses |
No |
Yes |
Multi-Hop |
No |
Yes |
Malware & Tracking Blocker |
Yes |
Yes |
Private Browser |
No |
Yes |
Shadowsocks & SOCKS5 Proxy |
No |
Yes |
PIA offers more additional features than ExpressVPN, but they’re not always effective.
VPN split tunneling is a useful feature that both services offer on Windows, macOS, and Android. This lets you select the websites, apps, and services you want to route through the VPN’s encrypted tunnel, as well as the ones you’d like to exclude.
Where ExpressVPN’s apps focus on simplicity, PIA’s focus on configurability. In addition to the encryption settings, you’ll find various menus for setting up a dedicated IP address, configuring multi-hop connections, enabling port forwarding, and automating your VPN connection.

PIA’s additional features are exhaustive, but might be overwhelming for casual users.
These options are nice to have, especially given PIA’s cheap subscription prices. However, it’s fairly unlikely that most casual VPN users will need this much control over their network. If you’re just looking to establish a private and secure VPN connection in a particular location, it’s much easier to use ExpressVPN.
Both VPN services also include a malware and tracker blocker, but only PIA offers a built-in ad blocker called MACE. Found in the ‘Privacy’ section of the app’s settings, it claims to block access to domains that are known to host ads, trackers, and malware.
You might think this gives PIA an advantage, but MACE is simply not a good ad blocker. It does not block as many ads as alternatives like NordVPN Cybersec, and the inability to adjust its filtering settings means certain websites end up breaking.