AES Encrypt / Decrypt
Encrypt and decrypt text with AES-256-GCM. Key derived via PBKDF2. Output is self-contained Base64 (salt + IV + ciphertext).
AES-256-GCM · PBKDF2 key derivation (100,000 iterations, SHA-256) · 16-byte random salt · 12-byte random IV · Output is self-contained Base64
AES-256-GCM browser encryption: no server, no storage
AES (Advanced Encryption Standard) in GCM mode is the gold standard for symmetric encryption. Unlike older modes such as CBC, GCM simultaneously encrypts and authenticates the data, so any tampering is detected on decryption. This tool runs the full AES-256-GCM algorithm inside your browser using the W3C Web Crypto API: the same API that powers HTTPS on billions of connections every day.
The password you enter never leaves the page. A fresh 16-byte random salt and 12-byte IV are generated on each encryption, making every ciphertext unique even for identical plaintexts. The output Base64 string bundles all three fields (salt, IV, ciphertext) so it is fully portable and can be decrypted anywhere.
How to use: step by step
- 1Choose a mode
Select Encrypt to protect plaintext, or Decrypt to recover it from a Base64 ciphertext blob. - 2Enter your text
Paste or type the message you want to encrypt (or the Base64 ciphertext if decrypting). - 3Set a password
Type an encryption password. It is never transmitted: PBKDF2 derives a 256-bit key locally. - 4Click Encrypt / Decrypt
The browser runs AES-256-GCM, generating a fresh 16-byte salt and 12-byte IV on every operation. - 5Copy the output
The Base64 output is self-contained (salt + IV + ciphertext). Share it anywhere: only your password can decrypt it.
Related Tools
Hash Generator
Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files. All hashes shown simultaneously with one-click copy.
HMAC Generator
Generate HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 message authentication codes with a secret key.
Password Strength
Analyze password entropy, character composition, and estimated crack time across different attack scenarios.
JWT Debugger
Decode and inspect JWT header, payload, and signature. Shows expiry status, algorithm, and all time-based claims with human-readable dates.
Frequently Asked Questions
- Is my data sent to a server?
- No. All encryption and decryption is performed using the Web Crypto API directly in your browser. Nothing is transmitted.
- What AES variant does this tool use?
- AES-256-GCM (Galois/Counter Mode). GCM provides both confidentiality and authenticity: if the ciphertext is tampered with, decryption fails.
- How is the key derived from my password?
- PBKDF2 with SHA-256, 100,000 iterations, and a 16-byte random salt. This makes brute-force attacks computationally expensive.
- What is in the Base64 output?
- The Base64 string encodes three concatenated fields: 16-byte salt, 12-byte IV, and the GCM ciphertext (which includes the authentication tag). It is entirely self-contained.
- Can I decrypt on a different device?
- Yes. As long as you have the Base64 ciphertext and the correct password, you can decrypt it in any AES-256-GCM-compatible implementation.
- Why does decryption fail?
- Decryption fails when the password is wrong or the ciphertext has been modified. GCM's authentication tag detects both cases.
- Is AES-256-GCM safe for production use?
- Yes. AES-256-GCM is a NIST-approved cipher used in TLS 1.3, Signal, and countless other security-critical applications.
- What is the difference between AES-GCM and AES-CBC?
- GCM is an authenticated encryption mode: it also verifies integrity. CBC is a plain cipher mode that requires a separate MAC. GCM is the modern best practice.
- Does this tool store my password or ciphertext?
- Never. The tool has no persistent storage, no analytics, and makes no network calls during encryption or decryption.
- Can I use this to encrypt files?
- This tool encrypts text. For file encryption you would need to read the file as Base64 first, or use a dedicated file encryption tool.
AlteredIdea vs alternatives
vs online hashing sites: Many send your data to a server to hash it. AlteredIdea runs all cryptographic operations in your browser using the Web Crypto API: your sensitive data never leaves your device.
vs openssl / command line: No terminal, no setup. Just paste and get results instantly.
vs library code: No coding required. Instant visual output with copy-to-clipboard.