Encryption/Decryption Tool

Encrypt and decrypt text using AES-256-GCM with a password. Uses PBKDF2 key derivation and the Web Crypto API, entirely in your browser.

AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode) is the symmetric encryption algorithm used by governments, banks, messaging apps, and VPN services worldwide. This tool encrypts and decrypts text using AES-256-GCM with PBKDF2 key derivation, entirely in your browser via the Web Crypto API. Your plaintext, password, and ciphertext never leave your device.

Ad
Ad

About Encryption/Decryption Tool

How AES-256-GCM Encryption Works

When you click Encrypt, the tool runs through four steps to produce the ciphertext.

StepWhat HappensWhy
1. Generate salt16 random bytes are createdPrevents rainbow table attacks on your password
2. Derive key (PBKDF2)Password + salt run through 310,000 iterations of SHA-256Stretches a weak password into a strong 256-bit key
3. Generate IV12 random bytes are createdEnsures the same plaintext + password produces different ciphertext each time
4. Encrypt (AES-256-GCM)Plaintext is encrypted with the derived key and IVProduces ciphertext + 16-byte authentication tag

The output is a single Base64 string containing the salt (16 bytes) + IV (12 bytes) + ciphertext + auth tag, concatenated in that order. When decrypting, the tool splits this string apart, re-derives the key from the password and salt, and runs AES-256-GCM decryption. If the password is wrong or the ciphertext has been tampered with, GCM's authentication tag causes decryption to fail rather than producing garbage output.

What Makes GCM Special

AES has several modes of operation. GCM (Galois/Counter Mode) is an authenticated encryption mode, meaning it provides both confidentiality and integrity in a single operation.

AES ModeConfidentialityIntegrity/AuthenticationParallelizableStatus
ECBWeak (leaks patterns)NoYesNever use - identical blocks produce identical ciphertext
CBCStrongNo (needs separate HMAC)Decrypt onlyLegacy - vulnerable to padding oracle attacks if misused
CTRStrongNo (needs separate HMAC)YesGood but requires manual integrity check
GCMStrongYes (built-in auth tag)YesRecommended - used by TLS 1.3, most modern systems
CCMStrongYesNoUsed in WiFi (WPA2) and Bluetooth

Without authentication, an attacker could flip bits in the ciphertext without detection. GCM's auth tag catches any modification, no matter how small.

PBKDF2 Key Derivation

PBKDF2 turns a short password into a full-length cryptographic key by hashing it repeatedly with a salt. This tool uses 310,000 iterations of SHA-256, the OWASP minimum from 2021-2023. OWASP raised the baseline to 600,000 iterations for PBKDF2-HMAC-SHA256 in its 2023 Password Storage Cheat Sheet update, and that remains the current guidance as of April 2026. The trade-off is UX: at 600,000 iterations a single derivation takes roughly 200ms on mid-range laptops and noticeably longer in mobile browsers, which is why many client-side tools still ship the earlier figure. For interoperability with encrypted output you already have, stick with 310,000; for fresh encryption of highly sensitive data, re-encrypt server-side with 600,000+ and a modern KDF.

KDFIterations / CostMemory RequirementUsed By
PBKDF2-SHA-256310,000+ recommendedMinimalThis tool, WPA2 (4,096 iterations), .NET, LastPass
bcrypt2^cost (10 = 1,024)4 KBPassword storage in Rails, Django, Spring
scryptConfigurableMegabytesCryptocurrency wallets, Tarsnap
Argon2idConfigurableMegabytes1Password, Signal, modern password storage

PBKDF2 is chosen here because it is the only KDF available in the Web Crypto API. For password storage (one-way hashing), bcrypt or Argon2 are better choices since they are memory-hard, making GPU attacks more expensive.

Encryption vs Hashing vs Encoding

These three operations are often confused. They serve fundamentally different purposes.

OperationReversible?Requires Key?PurposeExample
Encryption (AES)Yes, with the correct keyYesKeep data secretProtecting messages, files, database fields
Hashing (SHA-256)No (one-way)NoVerify integrity, store passwordsFile checksums, password storage, digital signatures
Encoding (Base64)Yes, by anyoneNoRepresent binary data as textEmail attachments, data URIs, JWT payloads

Base64 encoding is not encryption. Anyone can decode a Base64 string without any secret. The Base64 Encoder is for encoding, not protecting data.

Where AES-256 Is Used

SystemModeWhat It Protects
TLS 1.3 (HTTPS)AES-256-GCMAll web traffic between browser and server
Signal / WhatsAppAES-256-CBC (in Signal Protocol)End-to-end encrypted messages
BitLocker (Windows)AES-256-XTSFull disk encryption
FileVault (macOS)AES-256-XTSFull disk encryption
AWS S3 (SSE)AES-256-GCMObjects stored at rest
WireGuard VPNChaCha20-Poly1305 (AES-256 as fallback)VPN tunnel traffic
ZIP archives (AES)AES-256-CTRCompressed file contents

Worked Example

Suppose you encrypt the text "meeting at 3pm" with the password "correcthorsebatterystaple". The tool generates a random salt (say, 16 bytes) and IV (12 bytes), derives a 256-bit key via PBKDF2, encrypts the plaintext, and appends the GCM auth tag. The output is a single Base64 string roughly 80 characters long. If you change even one character of the plaintext or password, the entire output changes completely - there is no partial similarity.

To decrypt, you paste the Base64 string and enter the same password. The tool extracts the salt from the first 16 bytes, re-derives the key, extracts the IV from the next 12 bytes, and decrypts the remainder. If the password is wrong, GCM authentication fails and the tool reports an error rather than producing garbled text.

A small concrete trace helps. The plaintext "meeting at 3pm" is 14 bytes of UTF-8. After encryption the byte layout is 16 salt + 12 IV + 14 ciphertext + 16 GCM tag = 58 bytes of binary. Base64 encoding adds roughly 33% overhead, producing an 80-character output string. Encrypt the same plaintext a second time with the same password and you get a completely different 80-character string, because both the salt and the IV are freshly randomised. This non-determinism is deliberate: it stops an observer from spotting that you sent the same message twice.

Security Best Practices

PracticeWhy
Use a strong password (16+ characters)PBKDF2 slows brute force but cannot fix a weak password
Never reuse an IV with the same keyGCM breaks catastrophically if IV is reused - this tool generates random IVs automatically
Store ciphertext, not plaintextIf your storage is compromised, the attacker still needs the password
Use HTTPS when transmitting ciphertextPrevents man-in-the-middle from modifying the Base64 string
Do not embed passwords in codeUse environment variables or key management services
Rotate keys periodicallyLimits the damage if a key is compromised

Limitations of Browser-Based Encryption

The Web Crypto API provides genuine cryptographic operations, but running in a browser has trade-offs. The page could be modified by a malicious extension. Memory cannot be securely cleared (JavaScript has no memset equivalent). And the password is typed into a web page that could be observed by other tabs or extensions. For high-security applications, use a dedicated tool like GPG or age on the command line, or handle encryption server-side with a proper key management service.

How Strong Is a 256-bit Key in Practice?

A 256-bit key has 2^256 possible values, which is roughly 1.16 x 10^77. Even if every computer on Earth tested a billion keys per second, brute-forcing AES-256 directly would still take longer than the age of the universe. The real weakness is never the cipher - it is the password feeding PBKDF2. A 6-character lowercase password has about 28 bits of entropy; a 12-character password mixing case, digits, and symbols has around 72 bits. The NIST SP 800-63B guideline recommends at least 15 characters or a passphrase of four or more random dictionary words (40-50 bits of entropy before the KDF adds its stretching work). As of the April 2026 guidance, cloud GPU rigs can test roughly 10 billion SHA-256 hashes per second against unhashed passwords, so weak passwords remain the dominant attack surface regardless of how strong the cipher is.

PasswordEntropy (bits)Time to crack at 10B guesses/sec
password123~22Under 1 second
Tr0ub4dor&3~28~27 seconds
correcthorsebatterystaple~44~50 years
16-char random mixed~96Heat death of the universe

These figures assume the attacker has the ciphertext and can guess passwords offline. PBKDF2's 310,000 iterations multiply every guess by that factor, so the "50 years" row in practice becomes a number with more zeros than fit on screen - but only if the password has real entropy to begin with.

Common Mistakes People Make

MistakeWhat HappensFix
Reusing the same password across different dataOne compromised password opens every file at onceDerive distinct keys per context, or use a password manager with unique secrets
Pasting ciphertext into plain emailObservers see which key slot is in use and can correlate metadataWrap with TLS or use PGP over the whole message
Losing the salt and IVDecryption is impossible - the tool prepends them for exactly this reasonStore the full Base64 output, never trim it
Editing the Base64 string by handGCM auth tag fails, decryption abortsTreat the string as opaque; copy exactly as produced
Trusting AES-256 to fix a weak passwordThe cipher is fine, the password is the weakest linkUse a generated passphrase from the Password Generator

For generating strong passwords to use with this tool, try the Password Generator. For keyed message authentication without encryption, the HMAC Generator signs messages with a shared secret. All processing runs in your browser via the Web Crypto API.

Sources

Frequently Asked Questions

What encryption algorithm does this tool use?

It uses AES-256-GCM (Galois/Counter Mode), which provides both encryption and authentication. The 256-bit key is derived from your password using PBKDF2 with SHA-256 and 310,000 iterations. A random salt and IV are generated for each encryption.

Can I decrypt text encrypted with a different tool?

Only if the other tool uses the exact same format - AES-256-GCM with a 16-byte salt and 12-byte IV prepended to the ciphertext, and PBKDF2 key derivation with the same parameters. Different tools typically use different formats, so decryption across tools is not guaranteed.

What happens if I forget my password?

There is no way to recover encrypted data without the correct password. The encryption is mathematically irreversible without the key. Always store your password somewhere safe.

Is this secure enough for sensitive data?

AES-256-GCM is a strong encryption standard used by governments and financial institutions. However, this tool runs in the browser and is best suited for learning and quick tasks. For production use, encrypt data on your server with proper key management.

Is my data sent to a server?

No. All encryption and decryption happens entirely in your browser using the Web Crypto API. Your plaintext, password, and ciphertext never leave your device.

Link to this tool

Copy this HTML to link to this tool from your website or blog.

<a href="https://toolboxkit.io/tools/encryption-tool/" title="Encryption/Decryption Tool - Free Online Tool">Try Encryption/Decryption Tool on ToolboxKit.io</a>