AES-256 Encryption
Encrypt and decrypt text with AES-256-GCM in your browser. A 256-bit key is derived from your passphrase using PBKDF2-HMAC-SHA256 with 100,000 iterations.
How to use this tool
- 1
Choose 'Encrypt' or 'Decrypt' from the mode dropdown.
- 2
Type a passphrase into the password field — you'll need the exact same one to decrypt later.
- 3
Paste plain text to encrypt, or paste the base64 ciphertext to decrypt, into the text area.
- 4
Click 'Run' and copy the result from the output box below.
How does this AES-256 encryption tool work?
This tool performs AES-256-GCM encryption entirely in your browser using the native Web Crypto API (crypto.subtle). It does not use a stored 256-bit key directly; instead it derives one from the passphrase you type via PBKDF2-HMAC-SHA256 with 100,000 iterations and a random 16-byte salt. Each time you encrypt, a fresh random salt and a fresh random 12-byte IV (nonce) are generated, so encrypting the same text twice produces different ciphertext. GCM is an authenticated mode, meaning decryption fails loudly if the ciphertext, salt, or IV has been tampered with rather than returning garbage. The output is a single base64 string in which the salt (16 bytes), the IV (12 bytes), and the GCM ciphertext-plus-auth-tag are concatenated in that order — this is a custom layout specific to this tool, not OpenSSL or any interoperable file format, so you can only decrypt it here or with code that follows the same scheme. Security depends almost entirely on passphrase strength: 100,000 PBKDF2 iterations slow brute-force attempts but cannot rescue a short or common passphrase.
Common use cases
Encrypting a note, recovery phrase, or API key before pasting it into a chat, ticket, or shared document.
Sending a short secret to a teammate who has agreed on a passphrase through a separate channel.
Storing sensitive snippets in a password-protected form inside otherwise plain-text notes or a wiki.
Demonstrating how AES-GCM, PBKDF2 key derivation, and random IVs work for a class or code review.
Quickly checking that a base64 blob produced by this tool decrypts back to the expected text.
Adding a layer of protection to clipboard or backup text on a shared or untrusted machine.
Frequently asked questions
Is my text or passphrase sent to a server?▼
Where is my passphrase stored?▼
What exactly is in the base64 output?▼
Can I decrypt this output with OpenSSL or another library?▼
What happens if I lose the passphrase or change one character?▼
Is AES-256 here unbreakable?▼
Is this safe for highly sensitive or regulated data?▼
Related tools
Bcrypt Hash Generator
Generate bcrypt password hashes (client-side).
HMAC Generator
Generate HMAC signatures with SHA-256, SHA-1, MD5.
2FA QR Code Generator
Generate TOTP/2FA QR codes for authenticator apps.
Password Strength Tester
Test password strength against entropy and dictionaries.
Caesar Cipher Encoder
Encode and decode Caesar cipher with custom shifts.
ROT13 Encoder
Encode and decode ROT13 text instantly.