AES Encrypt / Decrypt

Encrypt and decrypt text with AES-GCM or AES-CBC using a passphrase. The salt and IV are generated automatically and embedded in the ciphertext, so decryption only needs the passphrase.

Input data is processed in your browser
Data is never sent to a server

Tool

0 chars

Processing happens entirely in your browser; your plaintext and passphrase are never sent anywhere. The key is derived from your passphrase using PBKDF2 (100,000 SHA-256 iterations). The ciphertext embeds the salt, IV, and algorithm, so decryption only needs the passphrase.

What is the AES Encrypt / Decrypt tool?

This free tool lets you encrypt and decrypt text with a passphrase, entirely inside your browser. It uses only the browser’s built-in Web Crypto API — no external libraries, and nothing is ever sent to a server.

Each time you encrypt, a fresh random salt and IV (initialization vector) are generated, and the encryption key is derived from your passphrase using PBKDF2 (100,000 SHA-256 iterations). The salt, IV, and algorithm used are embedded directly in the resulting Base64 ciphertext, so decrypting only requires the passphrase — nothing else to keep track of. Handy for quickly protecting a note or piece of text with a password before sharing it.

How to Use

  1. On the "Encrypt" tab, enter your plaintext and a passphrase, then click "Encrypt" to get a Base64-encoded ciphertext.
  2. On the "Decrypt" tab, paste the ciphertext (Base64) and enter the same passphrase, then click "Decrypt" to recover the original text.
  3. When encrypting, you can choose the algorithm (AES-GCM recommended, or AES-CBC) and key size (128/192/256 bit).
  4. Open "Show details" to see the salt, IV, and ciphertext individually in hex.

FAQ

What's the difference between AES-GCM and AES-CBC?

AES-GCM encrypts data while also authenticating it (detecting tampering), and is widely recommended as current best practice. AES-CBC is an older mode with no built-in tamper detection, so GCM is generally the safer choice on its own. Use AES-GCM unless you have a specific reason not to.

What happens if I enter the wrong passphrase?

Decryption fails and an error is shown. With AES-GCM, the authentication tag check also catches corrupted or tampered ciphertext, not just a wrong passphrase.

Can data encrypted with this tool be decrypted with OpenSSL or another tool?

No. This tool uses its own self-contained format — it bundles the salt, IV, and algorithm info into the ciphertext, and derives the key from your passphrase with its own PBKDF2 settings. Encryption and decryption are meant to be done with this same tool. For interop with another system, open "Show details" to get the salt, IV, and ciphertext in hex and implement matching logic on the other side.

Are my passphrase and plaintext sent to a server?

No. All encryption and decryption happens entirely in your browser using the Web Crypto API — nothing is sent anywhere. The plaintext, ciphertext, and passphrase are also not saved to browser storage.