AES Encrypt & Decrypt
Encrypt sensitive text with AES-GCM 256-bit authenticated encryption. Your passphrase is stretched via PBKDF2-SHA256 (200,000 iterations) with a random salt per encryption. The output format is a single base64 blob containing salt, IV, and ciphertext+authentication tag. Decrypt with the same passphrase to recover the original text. All operations via Web Crypto — no third-party libraries.
What does this tool do?
The AES Encrypt/Decrypt tool provides strong authenticated encryption using industry-standard algorithms. It uses AES-GCM (Galois/Counter Mode) with 256-bit keys, which provides both confidentiality and integrity verification. Key derivation uses PBKDF2 with SHA-256 and 200,000 iterations to resist brute-force attacks on weak passphrases. Each encryption generates a unique random salt (prevents rainbow table attacks) and IV (initialization vector, ensures identical plaintexts produce different ciphertexts). The self-contained output format includes everything needed for decryption except the passphrase.
How it works
Encryption: derive key using PBKDF2-SHA256 with 200,000 iterations from passphrase + random 16-byte salt. Generate random 12-byte IV. Encrypt plaintext using AES-GCM-256, producing ciphertext and 16-byte authentication tag. Concatenate: salt (16) + IV (12) + ciphertext + tag. Encode as base64 for transportable text. Decryption: decode base64, split components, derive key with same PBKDF2 parameters from passphrase + salt, decrypt and verify authentication tag using AES-GCM, return plaintext. All via Web Crypto API — no external crypto libraries.
Features
- AES-GCM 256-bit authenticated encryption
- PBKDF2-SHA256, 200,000 iterations — slows brute force
- Random salt + IV per encryption (unique ciphertexts)
- Self-describing format: base64(salt | IV | ciphertext)
- All operations via Web Crypto API
- No third-party crypto libraries
- 100% client-side — data never leaves browser
How to use
- 1
Select mode
Choose Encrypt to protect text, or Decrypt to recover encrypted content.
- 2
Enter text and passphrase (encrypt)
Paste the sensitive text to encrypt. Enter a strong passphrase — NOT a password you use anywhere else. Longer is better than complex.
- 3
Copy the ciphertext
The base64 output is your encrypted data. It can be safely stored or transmitted — it reveals nothing without the passphrase.
- 4
Decrypt to recover
To decrypt: paste the ciphertext, enter the same passphrase, and get the original text back. Any character error in passphrase or ciphertext will fail decryption.
Common use cases
Secure note sharing
Encrypt sensitive information for secure transmission over insecure channels. Send the ciphertext via email/IM, share the passphrase separately.
Personal data protection
Encrypt private notes, journal entries, or personal information before storing in cloud services or on shared devices.
API secret handling
Encrypt API keys and secrets for temporary storage during development workflows, decrypting only when needed.
Secure clipboard transfer
Encrypt sensitive data on one device, copy ciphertext through shared clipboard or messaging, decrypt on another device.
Tips & best practices
- Passphrase strength matters more than complexity — 'correct horse battery staple' (4 random words, 28 chars) is far stronger than 'Tr0ub4dor&3' and easier to remember
- The 200,000 PBKDF2 iterations intentionally slow brute-force attempts. Combined with a strong passphrase, this makes cracking infeasible
- Never lose your passphrase — there is absolutely no recovery. The encryption is designed to be unbreakable without the key
- Each encryption produces unique output even with same text and passphrase (due to random salt/IV) — this is expected