Encryption/Decryption Tool
Encrypt and decrypt text using AES-256-GCM with a password. Uses PBKDF2 key derivation and the Web Crypto API, entirely in your browser.
About Encryption/Decryption Tool
AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode) is the symmetric encryption algorithm used by governments, banks, messaging apps, and VPN services worldwide. This tool encrypts and decrypts text using AES-256-GCM with PBKDF2 key derivation, entirely in your browser via the Web Crypto API. Your plaintext, password, and ciphertext never leave your device.
How AES-256-GCM Encryption Works
When you click Encrypt, the tool runs through four steps to produce the ciphertext.
| Step | What Happens | Why |
|---|---|---|
| 1. Generate salt | 16 random bytes are created | Prevents rainbow table attacks on your password |
| 2. Derive key (PBKDF2) | Password + salt run through 310,000 iterations of SHA-256 | Stretches a weak password into a strong 256-bit key |
| 3. Generate IV | 12 random bytes are created | Ensures the same plaintext + password produces different ciphertext each time |
| 4. Encrypt (AES-256-GCM) | Plaintext is encrypted with the derived key and IV | Produces ciphertext + 16-byte authentication tag |
The output is a single Base64 string containing the salt (16 bytes) + IV (12 bytes) + ciphertext + auth tag, concatenated in that order. When decrypting, the tool splits this string apart, re-derives the key from the password and salt, and runs AES-256-GCM decryption. If the password is wrong or the ciphertext has been tampered with, GCM's authentication tag causes decryption to fail rather than producing garbage output.
What Makes GCM Special
AES has several modes of operation. GCM (Galois/Counter Mode) is an authenticated encryption mode, meaning it provides both confidentiality and integrity in a single operation.
| AES Mode | Confidentiality | Integrity/Authentication | Parallelizable | Status |
|---|---|---|---|---|
| ECB | Weak (leaks patterns) | No | Yes | Never use - identical blocks produce identical ciphertext |
| CBC | Strong | No (needs separate HMAC) | Decrypt only | Legacy - vulnerable to padding oracle attacks if misused |
| CTR | Strong | No (needs separate HMAC) | Yes | Good but requires manual integrity check |
| GCM | Strong | Yes (built-in auth tag) | Yes | Recommended - used by TLS 1.3, most modern systems |
| CCM | Strong | Yes | No | Used in WiFi (WPA2) and Bluetooth |
Without authentication, an attacker could flip bits in the ciphertext without detection. GCM's auth tag catches any modification, no matter how small.
PBKDF2 Key Derivation
Passwords are typically short and low-entropy compared to cryptographic keys. PBKDF2 (Password-Based Key Derivation Function 2) stretches a password into a full-length key by hashing it repeatedly. This tool uses 310,000 iterations of SHA-256, which is the OWASP recommendation as of 2023.
| KDF | Iterations / Cost | Memory Requirement | Used By |
|---|---|---|---|
| PBKDF2-SHA-256 | 310,000+ recommended | Minimal | This tool, WPA2 (4,096 iterations), .NET, LastPass |
| bcrypt | 2^cost (10 = 1,024) | 4 KB | Password storage in Rails, Django, Spring |
| scrypt | Configurable | Megabytes | Cryptocurrency wallets, Tarsnap |
| Argon2id | Configurable | Megabytes | 1Password, Signal, modern password storage |
PBKDF2 is chosen here because it is the only KDF available in the Web Crypto API. For password storage (one-way hashing), bcrypt or Argon2 are better choices since they are memory-hard, making GPU attacks more expensive.
Encryption vs Hashing vs Encoding
These three operations are often confused. They serve fundamentally different purposes.
| Operation | Reversible? | Requires Key? | Purpose | Example |
|---|---|---|---|---|
| Encryption (AES) | Yes, with the correct key | Yes | Keep data secret | Protecting messages, files, database fields |
| Hashing (SHA-256) | No (one-way) | No | Verify integrity, store passwords | File checksums, password storage, digital signatures |
| Encoding (Base64) | Yes, by anyone | No | Represent binary data as text | Email attachments, data URIs, JWT payloads |
Base64 encoding is not encryption. Anyone can decode a Base64 string without any secret. The Base64 Encoder is for encoding, not protecting data.
Where AES-256 Is Used
| System | Mode | What It Protects |
|---|---|---|
| TLS 1.3 (HTTPS) | AES-256-GCM | All web traffic between browser and server |
| Signal / WhatsApp | AES-256-CBC (in Signal Protocol) | End-to-end encrypted messages |
| BitLocker (Windows) | AES-256-XTS | Full disk encryption |
| FileVault (macOS) | AES-256-XTS | Full disk encryption |
| AWS S3 (SSE) | AES-256-GCM | Objects stored at rest |
| WireGuard VPN | ChaCha20-Poly1305 (AES-256 as fallback) | VPN tunnel traffic |
| ZIP archives (AES) | AES-256-CTR | Compressed file contents |
Worked Example
Suppose you encrypt the text "meeting at 3pm" with the password "correcthorsebatterystaple". The tool generates a random salt (say, 16 bytes) and IV (12 bytes), derives a 256-bit key via PBKDF2, encrypts the plaintext, and appends the GCM auth tag. The output is a single Base64 string roughly 80 characters long. If you change even one character of the plaintext or password, the entire output changes completely - there is no partial similarity.
To decrypt, you paste the Base64 string and enter the same password. The tool extracts the salt from the first 16 bytes, re-derives the key, extracts the IV from the next 12 bytes, and decrypts the remainder. If the password is wrong, GCM authentication fails and the tool reports an error rather than producing garbled text.
Security Best Practices
| Practice | Why |
|---|---|
| Use a strong password (16+ characters) | PBKDF2 slows brute force but cannot fix a weak password |
| Never reuse an IV with the same key | GCM breaks catastrophically if IV is reused - this tool generates random IVs automatically |
| Store ciphertext, not plaintext | If your storage is compromised, the attacker still needs the password |
| Use HTTPS when transmitting ciphertext | Prevents man-in-the-middle from modifying the Base64 string |
| Do not embed passwords in code | Use environment variables or key management services |
| Rotate keys periodically | Limits the damage if a key is compromised |
Limitations of Browser-Based Encryption
The Web Crypto API provides genuine cryptographic operations, but running in a browser has trade-offs. The page could be modified by a malicious extension. Memory cannot be securely cleared (JavaScript has no memset equivalent). And the password is typed into a web page that could be observed by other tabs or extensions. For high-security applications, use a dedicated tool like GPG or age on the command line, or handle encryption server-side with a proper key management service.
For generating strong passwords to use with this tool, try the Password Generator. For keyed message authentication without encryption, the HMAC Generator signs messages with a shared secret. All processing runs in your browser via the Web Crypto API.
Frequently Asked Questions
What encryption algorithm does this tool use?
It uses AES-256-GCM (Galois/Counter Mode), which provides both encryption and authentication. The 256-bit key is derived from your password using PBKDF2 with SHA-256 and 310,000 iterations. A random salt and IV are generated for each encryption.
Can I decrypt text encrypted with a different tool?
Only if the other tool uses the exact same format - AES-256-GCM with a 16-byte salt and 12-byte IV prepended to the ciphertext, and PBKDF2 key derivation with the same parameters. Different tools typically use different formats, so decryption across tools is not guaranteed.
What happens if I forget my password?
There is no way to recover encrypted data without the correct password. The encryption is mathematically irreversible without the key. Always store your password somewhere safe.
Is this secure enough for sensitive data?
AES-256-GCM is a strong encryption standard used by governments and financial institutions. However, this tool runs in the browser and is best suited for learning and quick tasks. For production use, encrypt data on your server with proper key management.
Is my data sent to a server?
No. All encryption and decryption happens entirely in your browser using the Web Crypto API. Your plaintext, password, and ciphertext never leave your device.
Related Tools
Link to this tool
Copy this HTML to link to this tool from your website or blog.
<a href="https://toolboxkit.io/tools/encryption-tool/" title="Encryption/Decryption Tool - Free Online Tool">Try Encryption/Decryption Tool on ToolboxKit.io</a>