AES Encrypt / Decrypt

AES-256-GCM with PBKDF2 key derivation, in your browser. Text never leaves your device.

This tool encrypts and decrypts text with AES-256-GCM, a modern authenticated cipher, using a passphrase. The key is derived from your passphrase with PBKDF2 (150,000 iterations, SHA-256) and a random salt, and every message uses a fresh random IV. The result is a single Base64 payload that bundles the salt, IV, and ciphertext — paste it back with the same passphrase to recover the original. Everything happens in your browser via the Web Crypto API.

  • AES-256-GCM authenticated encryption (detects tampering)
  • PBKDF2 key derivation with a random salt
  • One self-contained Base64 payload to store or share
  • 100% private — text and passphrase never leave your browser

How It Works

When you encrypt, a random 16-byte salt and 12-byte IV are generated. PBKDF2 stretches your passphrase into a 256-bit AES key using that salt, then AES-GCM encrypts the text and produces an authentication tag. The salt, IV, and ciphertext are concatenated and Base64-encoded into one string. Decryption reverses the process: it reads the salt and IV from the payload, re-derives the key from your passphrase, and verifies the tag before returning the plaintext — so a wrong passphrase or altered payload fails cleanly rather than returning garbage.

Why AES-GCM Instead of Older Modes

Older AES modes like CBC or ECB only provide confidentiality — they hide the data but don't detect if it's been tampered with, which has led to real padding-oracle and bit-flipping attacks in production systems. GCM (Galois/Counter Mode) is an authenticatedmode: it encrypts and simultaneously computes an authentication tag over the ciphertext. On decryption, that tag is verified first — if the ciphertext or the passphrase-derived key doesn't match, decryption fails outright instead of silently returning corrupted plaintext. This is why GCM is the modern default across TLS 1.3, Signal, and most current cryptographic libraries.

What Each Piece of the Payload Does

ComponentSizePurpose
Salt16 bytesRandomizes the PBKDF2 key derivation so the same passphrase never produces the same key twice — defeats precomputed rainbow-table attacks.
IV (nonce)12 bytesRandomizes the AES-GCM cipher itself so encrypting the same text twice produces different ciphertext.
Ciphertext + tagvariableThe encrypted data plus a 16-byte authentication tag that GCM checks on decrypt.

All three are concatenated and Base64-encoded into the single payload you copy — nothing extra to track or store separately.

Encrypting and Decrypting

  1. 1Switch to Encrypt mode, type or paste the text you want to protect.
  2. 2Enter a strong, unique passphrase — this is the only thing standing between the ciphertext and your data, so make it long and random (the Password Generator can help).
  3. 3Click Encrypt — you get one self-contained Base64 payload. Copy it and share or store it however you like; it's meaningless without the passphrase.
  4. 4To recover the text, switch to Decrypt mode, paste the payload, enter the exact same passphrase, and click Decrypt.

Common Uses

  • Sharing a secretEncrypt a note or credential and share the payload; the recipient decrypts it with a passphrase agreed over a separate channel.
  • Storing sensitive textKeep a small piece of sensitive text encrypted at rest, decryptable only with your passphrase.
  • Learning modern cryptoSee exactly how AES-GCM with PBKDF2 key derivation works, with a real, correct implementation.
  • Quick one-off encryptionEncrypt a message without installing tools or trusting a server with your data.
  • Encrypting before pasting into less-trusted toolsTurn sensitive text into an opaque payload before it ever needs to touch a system you don't fully trust.

Frequently Asked Questions

No. Encryption and decryption run entirely in your browser with the Web Crypto API. Neither the text nor the passphrase ever leaves your device.

AES-256 in GCM mode, an authenticated cipher that both encrypts and detects tampering. The key is derived from your passphrase with PBKDF2 using 150,000 iterations of SHA-256 and a random salt.

Decryption fails and reports an error. AES-GCM's authentication tag means a wrong passphrase or a modified payload is rejected rather than producing incorrect plaintext.

Yes, with any AES-256-GCM implementation that reads the same layout: a 16-byte salt, a 12-byte IV, then the ciphertext, all Base64-encoded, with a PBKDF2-SHA256 key at 150,000 iterations.

Only if it's strong. PBKDF2 slows brute-force attempts, but a short or common passphrase can still be guessed. Use a long, unique passphrase — the Password Generator can create one.

A passphrase typed by a human has far less entropy than a proper 256-bit key. PBKDF2 stretches it through 150,000 rounds of hashing with a random salt, which makes brute-forcing every possible passphrase drastically slower for an attacker.

For almost all modern use cases, yes. GCM provides both confidentiality and built-in tamper detection (authentication) in a single pass, while CBC only provides confidentiality and has been the root cause of several real-world padding-oracle vulnerabilities when implemented without separate authentication.

Related Tools