AES Encrypt / Decrypt
AES-256-GCM with PBKDF2 key derivation, in your browser. Text never leaves your device.
This tool encrypts and decrypts text with AES-256-GCM, a modern authenticated cipher, using a passphrase. The key is derived from your passphrase with PBKDF2 (150,000 iterations, SHA-256) and a random salt, and every message uses a fresh random IV. The result is a single Base64 payload that bundles the salt, IV, and ciphertext — paste it back with the same passphrase to recover the original. Everything happens in your browser via the Web Crypto API.
- ✓AES-256-GCM authenticated encryption (detects tampering)
- ✓PBKDF2 key derivation with a random salt
- ✓One self-contained Base64 payload to store or share
- ✓100% private — text and passphrase never leave your browser
How It Works
When you encrypt, a random 16-byte salt and 12-byte IV are generated. PBKDF2 stretches your passphrase into a 256-bit AES key using that salt, then AES-GCM encrypts the text and produces an authentication tag. The salt, IV, and ciphertext are concatenated and Base64-encoded into one string. Decryption reverses the process: it reads the salt and IV from the payload, re-derives the key from your passphrase, and verifies the tag before returning the plaintext — so a wrong passphrase or altered payload fails cleanly rather than returning garbage.
Why AES-GCM Instead of Older Modes
Older AES modes like CBC or ECB only provide confidentiality — they hide the data but don't detect if it's been tampered with, which has led to real padding-oracle and bit-flipping attacks in production systems. GCM (Galois/Counter Mode) is an authenticatedmode: it encrypts and simultaneously computes an authentication tag over the ciphertext. On decryption, that tag is verified first — if the ciphertext or the passphrase-derived key doesn't match, decryption fails outright instead of silently returning corrupted plaintext. This is why GCM is the modern default across TLS 1.3, Signal, and most current cryptographic libraries.
What Each Piece of the Payload Does
| Component | Size | Purpose |
|---|---|---|
| Salt | 16 bytes | Randomizes the PBKDF2 key derivation so the same passphrase never produces the same key twice — defeats precomputed rainbow-table attacks. |
| IV (nonce) | 12 bytes | Randomizes the AES-GCM cipher itself so encrypting the same text twice produces different ciphertext. |
| Ciphertext + tag | variable | The encrypted data plus a 16-byte authentication tag that GCM checks on decrypt. |
All three are concatenated and Base64-encoded into the single payload you copy — nothing extra to track or store separately.
Encrypting and Decrypting
- 1Switch to Encrypt mode, type or paste the text you want to protect.
- 2Enter a strong, unique passphrase — this is the only thing standing between the ciphertext and your data, so make it long and random (the Password Generator can help).
- 3Click Encrypt — you get one self-contained Base64 payload. Copy it and share or store it however you like; it's meaningless without the passphrase.
- 4To recover the text, switch to Decrypt mode, paste the payload, enter the exact same passphrase, and click Decrypt.
Common Uses
- ▸Sharing a secret — Encrypt a note or credential and share the payload; the recipient decrypts it with a passphrase agreed over a separate channel.
- ▸Storing sensitive text — Keep a small piece of sensitive text encrypted at rest, decryptable only with your passphrase.
- ▸Learning modern crypto — See exactly how AES-GCM with PBKDF2 key derivation works, with a real, correct implementation.
- ▸Quick one-off encryption — Encrypt a message without installing tools or trusting a server with your data.
- ▸Encrypting before pasting into less-trusted tools — Turn sensitive text into an opaque payload before it ever needs to touch a system you don't fully trust.