Private by design. This tool runs 100% in your browser using the Web Crypto API. Your passphrase and text are never uploaded to any server and are never placed in the URL. This is the safe alternative to pasting secrets into an online service or AI chatbot.
What is AES Encryption?
AES (the Advanced Encryption Standard) is the most widely used symmetric cipher in the world. Standardized by NIST in 2001 (FIPS 197) and originally designed under the name Rijndael, it encrypts data in 128-bit blocks using a secret key of 128, 192, or 256 bits. "Symmetric" means the same key both encrypts and decrypts — there is no separate public and private key as in RSA. AES protects HTTPS traffic, disk encryption, VPNs, password managers, and countless other systems, and after decades of public scrutiny it has no known practical break.
This tool uses AES-GCM with a 256-bit key. GCM (Galois/Counter Mode) is an authenticated encryption mode: in addition to keeping the plaintext confidential, it produces a 128-bit authentication tag that detects any tampering with the ciphertext. If even a single bit of the encrypted data is changed — or if the wrong key is supplied — decryption fails loudly instead of returning garbage. That property is what powers the clear "wrong passphrase or corrupted input" error you see on a failed decrypt.
How Passphrase-Based Encryption Works
AES needs a fixed-length binary key, but humans prefer to remember passphrases. The bridge between the two is a key derivation function. This tool uses PBKDF2 (Password-Based Key Derivation Function 2, defined in RFC 8018) with HMAC-SHA-256 and 150,000 iterations to stretch your passphrase into a 256-bit AES key. The iteration count deliberately makes the derivation slow — imperceptible for a single legitimate decryption, but a serious obstacle for an attacker trying to guess billions of passphrases offline.
Two random values make each encryption unique. A 16-byte salt, generated with crypto.getRandomValues, is fed into PBKDF2 so that the same passphrase produces a different key every time — this defeats precomputed "rainbow table" attacks. A 12-byte initialization vector (IV), also random, ensures that encrypting the same message twice yields different ciphertext, which is required for GCM's security. Both the salt and IV are stored alongside the ciphertext (they are not secret), so decryption can reconstruct exactly the same key and reverse the process.
The final output is a single Base64 string that packs a 1-byte version marker, the salt, the IV, and the AES-GCM ciphertext (with its built-in authentication tag). Because the format is self-describing, you only need to remember the passphrase — everything else travels with the data.
How to Use This Tool
- Choose Encrypt or Decrypt with the toggle at the top.
- In Encrypt mode, paste the plaintext you want to protect; in Decrypt mode, paste the Base64 ciphertext produced earlier.
- Type your passphrase. It is case-sensitive and must match exactly to decrypt.
- Click the action button. The result appears in the output box — Base64 ciphertext when encrypting, the recovered plaintext when decrypting.
- Use Copy to grab the result, then share the ciphertext freely while delivering the passphrase through a separate, trusted channel.
Everything is computed locally with crypto.subtle.deriveKey and crypto.subtle.encrypt / decrypt from the Web Crypto API. Nothing is sent to a server, and the passphrase and text are never written to the shareable URL.
Is This Secure?
The cryptography itself is solid: AES-256-GCM and PBKDF2-HMAC-SHA-256 are standardized, widely deployed primitives, and they run here through the browser's native, vetted Web Crypto implementation rather than hand-rolled JavaScript. Because all processing is client-side, your secrets never leave your device — there is no network request to intercept and no server log to leak.
That said, the weakest link is almost always the passphrase. Encryption can only be as strong as the secret protecting it: a short, common, or reused passphrase can be brute-forced offline no matter how good the cipher is. Choose something long, random, and unique — a passphrase of several random words is a good rule of thumb. Also remember that this tool is built for convenience: quickly protecting a note, an API token, or a message you are about to send. For high-stakes, long-lived secrets, prefer a dedicated, audited tool such as age, GnuPG, or a reputable password manager, and keep secure backups of your passphrase — if you lose it, the data is unrecoverable by design.
When to Use It
- Sending a secret over an insecure channel. Encrypt a message, send the ciphertext by email or chat, and share the passphrase separately (e.g. by phone) so neither channel alone exposes the secret.
- Storing a token or note. Keep an encrypted blob in a document, gist, or ticket without exposing the raw value to anyone who reads it.
- Avoiding paste-into-AI leaks. When you need to handle a credential but do not want it touching an online tool, encrypt it here first — fully offline-capable in your browser.
- Quick confidentiality for low-stakes data. Anywhere AES is more than enough and a full key-management setup would be overkill.
Frequently Asked Questions
What encryption does this tool use?
This tool uses AES-GCM with a 256-bit key for authenticated encryption. The key is derived from your passphrase using PBKDF2 with HMAC-SHA-256 and 150,000 iterations over a random 16-byte salt. A fresh random 12-byte initialization vector (IV) is generated for every encryption. All of this runs in your browser via the Web Crypto API (SubtleCrypto).
Is my passphrase or text sent to a server?
No. Encryption and decryption happen entirely inside your browser using the Web Crypto API. Your passphrase, plaintext, and ciphertext are never uploaded anywhere, and nothing is written to the shareable URL. That is the whole point of this tool versus pasting secrets into an online service or AI chatbot.
Why did decryption fail?
AES-GCM is authenticated, so it refuses to return any plaintext if the passphrase is wrong or the ciphertext was altered or truncated. If you see "Decryption failed — wrong passphrase or corrupted input," double-check that the passphrase exactly matches the one used to encrypt (it is case-sensitive) and that you pasted the entire Base64 string without missing characters.
How secure is passphrase-based encryption?
AES-256-GCM is a strong, standardized cipher, but the security of passphrase-based encryption depends almost entirely on the strength of your passphrase. PBKDF2 with 150,000 iterations slows down brute-force guessing, but a short or common passphrase can still be cracked offline. Use a long, random, unique passphrase. For high-stakes secrets, prefer a vetted, audited tool such as age, GnuPG, or a password manager.
What is in the Base64 output?
The Base64 string packs everything needed to decrypt except the passphrase: a 1-byte version marker, the 16-byte random salt, the 12-byte random IV, and the AES-GCM ciphertext (which includes the authentication tag). Because the salt and IV are stored alongside the ciphertext, anyone with the correct passphrase can reverse the process; without it, the data is unreadable.
Can I decrypt this text with another tool?
Yes, if the other tool uses the same scheme: Base64-decode the output, skip the 1-byte version, read the next 16 bytes as the PBKDF2 salt and the following 12 bytes as the AES-GCM IV, derive a 256-bit key with PBKDF2-HMAC-SHA-256 at 150,000 iterations, then AES-GCM-decrypt the remaining bytes (the last 16 bytes are the GCM tag). The format is intentionally simple and self-describing.