RevealTheme logo

AES-256 Encryption

Encrypt and decrypt text with AES-256-GCM in your browser. A 256-bit key is derived from your passphrase using PBKDF2-HMAC-SHA256 with 100,000 iterations.

How to use this tool

  1. 1

    Choose 'Encrypt' or 'Decrypt' from the mode dropdown.

  2. 2

    Type a passphrase into the password field — you'll need the exact same one to decrypt later.

  3. 3

    Paste plain text to encrypt, or paste the base64 ciphertext to decrypt, into the text area.

  4. 4

    Click 'Run' and copy the result from the output box below.

How does this AES-256 encryption tool work?

This tool performs AES-256-GCM encryption entirely in your browser using the native Web Crypto API (crypto.subtle). It does not use a stored 256-bit key directly; instead it derives one from the passphrase you type via PBKDF2-HMAC-SHA256 with 100,000 iterations and a random 16-byte salt. Each time you encrypt, a fresh random salt and a fresh random 12-byte IV (nonce) are generated, so encrypting the same text twice produces different ciphertext. GCM is an authenticated mode, meaning decryption fails loudly if the ciphertext, salt, or IV has been tampered with rather than returning garbage. The output is a single base64 string in which the salt (16 bytes), the IV (12 bytes), and the GCM ciphertext-plus-auth-tag are concatenated in that order — this is a custom layout specific to this tool, not OpenSSL or any interoperable file format, so you can only decrypt it here or with code that follows the same scheme. Security depends almost entirely on passphrase strength: 100,000 PBKDF2 iterations slow brute-force attempts but cannot rescue a short or common passphrase.

Common use cases

  • Encrypting a note, recovery phrase, or API key before pasting it into a chat, ticket, or shared document.

  • Sending a short secret to a teammate who has agreed on a passphrase through a separate channel.

  • Storing sensitive snippets in a password-protected form inside otherwise plain-text notes or a wiki.

  • Demonstrating how AES-GCM, PBKDF2 key derivation, and random IVs work for a class or code review.

  • Quickly checking that a base64 blob produced by this tool decrypts back to the expected text.

  • Adding a layer of protection to clipboard or backup text on a shared or untrusted machine.

Frequently asked questions

Is my text or passphrase sent to a server?
No. All encryption and decryption run locally in your browser through the Web Crypto API. Your plain text, passphrase, and ciphertext never leave your device and are not uploaded or logged.
Where is my passphrase stored?
Nowhere. It lives only in the page's memory while you use the tool, is used to derive the key, and is discarded when you close or reload the tab. It is never saved or transmitted.
What exactly is in the base64 output?
A 16-byte random salt, then a 12-byte random IV, then the AES-GCM ciphertext including its authentication tag, all concatenated and base64-encoded. Decryption splits these back out, so you must keep the whole string intact.
Can I decrypt this output with OpenSSL or another library?
Not directly. The salt + IV + ciphertext layout here is specific to this tool, not the OpenSSL 'Salted__' format. You'd need code that derives the key with PBKDF2-SHA256 at 100,000 iterations and reads the bytes in the same order.
What happens if I lose the passphrase or change one character?
The data is unrecoverable. GCM authentication will reject any wrong passphrase and decryption will throw an error rather than returning partial text, so an exact match is required.
Is AES-256 here unbreakable?
The AES-256 cipher itself has no practical brute-force attack, but your security is only as strong as your passphrase. A weak or reused passphrase can be guessed despite the 100,000 PBKDF2 iterations, so use a long, unique one.
Is this safe for highly sensitive or regulated data?
It's solid for quick, personal use, but it's a single-page utility without key management, versioning, or audited deployment. For production secrets use a dedicated tool such as a password manager, libsodium/age, or your platform's KMS.

Related tools