What algorithm does this tool use?

AES-256-GCM (Advanced Encryption Standard in Galois/Counter Mode with a 256-bit key). The passphrase is turned into a key using PBKDF2-SHA-256 with 310,000 iterations and a random 16-byte salt. AES-GCM is an authenticated encryption mode - it detects tampering automatically.

Is this tool safe for real secrets?

This tool is for educational and hobbyist use. For compliance-regulated or enterprise data, use dedicated, audited software. The biggest risk with any passphrase-based encryption is losing the passphrase - there is no recovery mechanism.

Why does the same plaintext produce different ciphertext each time?

A fresh random salt (16 bytes) and IV (12 bytes) are generated for every encryption. This is a security requirement - reusing an IV with the same key in GCM mode is catastrophic for security.

Can I decrypt elsewhere?

Yes, in principle. The output is a Base64-encoded blob with format: salt(16) | iv(12) | ciphertext+tag. Any AES-256-GCM + PBKDF2-SHA-256 implementation that accepts the same parameters can decrypt it.

What happens if I lose my passphrase?

The data is unrecoverable. There is no backdoor and no way to derive the passphrase from the ciphertext. Always store your passphrase safely before encrypting important data.

AES Encrypt / Decrypt Online (AES-256-GCM)

How AES-256-GCM encryption works

AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST in 2001. This tool uses AES in GCM (Galois/Counter Mode) with a 256-bit key. GCM is an authenticated encryption mode: it not only keeps the data secret but also detects any tampering or corruption. If the passphrase is wrong or the ciphertext is modified, decryption fails with an explicit error rather than silently returning garbage.

Key derivation with PBKDF2

Your passphrase is not used directly as an AES key. Instead, PBKDF2-SHA-256 is run for 310,000 iterations with a fresh random 16-byte salt to derive the 256-bit key. This makes brute-force attacks against weak passphrases much slower. The salt is stored alongside the ciphertext so the same key can be re-derived at decryption time.

Output format

The Base64 output encodes a binary blob with the layout: salt (16 bytes) | IV (12 bytes) | ciphertext + auth-tag. This self-contained format means you only need the blob and the passphrase to decrypt anywhere.

Privacy

All encryption and decryption happens locally in your browser using the built-in Web Crypto API. No data is ever sent to a server. The source code is visible in your browser's developer tools.

When to use this tool

This tool is appropriate for personal use cases such as:

Protecting a personal notes file before storing it in cloud storage.
Encrypting sensitive text before sharing it over an insecure channel.
Learning how AES-256-GCM and PBKDF2 work in practice.

It is not designed for production secrets management. For application secrets, API keys, and credentials at scale, use dedicated secrets management systems such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault, which offer audit logging, access controls, and automatic rotation.

Security recommendations

The strength of AES-256-GCM encryption ultimately depends on the passphrase. Even with 310,000 PBKDF2 iterations, a short or common passphrase is vulnerable to offline brute-force attacks:

Use at least 20 characters. A randomly generated passphrase of that length has more entropy than a typical memorable phrase.
Avoid dictionary words and predictable patterns. Names, dates, and common phrases are brute-forced quickly.
Use a password manager to generate and store the passphrase - do not rely on memory for high-value data.
Store the passphrase separately from the ciphertext. If an attacker obtains both, the data is compromised.

Output format breakdown

The Base64 output encodes a single binary blob. Decoded, it has this layout:

Bytes	Field	Purpose
0–15 (16 bytes)	Salt	Random value mixed into PBKDF2 key derivation; unique per encryption
16–27 (12 bytes)	IV (nonce)	AES-GCM initialization vector; unique per encryption
28 to end − 16	Ciphertext	Encrypted payload
Last 16 bytes	Auth tag	GCM authentication tag; detects tampering

Because the salt and IV are stored inside the blob, you only need the Base64 string and the passphrase to decrypt - no separate configuration is required.