ToolBelt

AES Encryptor / Decryptor

Encrypt or decrypt text with AES-256-GCM and a passphrase.

Open tool

Overview

The AES encryptor and decryptor converts plain text into authenticated ciphertext using a passphrase you control. Paste a message, type a password, and get back a base64 payload safe to share over email, chat, or paste-bin. Reverse the flow with the same passphrase to recover the original text.

It is a quick AES-256-GCM encryption tool for engineers wrapping secrets in scripts, support reps shipping a one-off credential, or anyone who wants to confirm a payload was not tampered with in transit. The same passphrase must be available on both ends — there is no key escrow, no recovery.

How it works

The tool follows NIST SP 800-38D AES-GCM with a 256-bit key. Your passphrase is stretched into that key with PBKDF2-HMAC-SHA-256 (high iteration count, random salt per encryption) so weak passphrases are slowed down rather than used raw. A fresh 96-bit IV is generated for every encryption, prepended to the ciphertext along with the salt, and the 128-bit GCM authentication tag is appended. Decryption verifies the tag before returning plaintext — any single bit of tampering causes a hard failure rather than garbled output.

Examples

Plaintext:  "transfer $500 to Alice"
Passphrase: "correct horse battery staple"
Output:     gK2x... (base64 — salt | iv | ciphertext | tag)

Ciphertext: gK2x...
Passphrase: "correct horse battery staple"
Output:     "transfer $500 to Alice"

Ciphertext: gK2x...
Passphrase: "wrong password"
Output:     Decryption failed: authentication tag mismatch

FAQ

Is the passphrase ever sent to a server?

No. Encryption and decryption happen in your browser session; the passphrase is used to derive a key locally and is never logged.

Why GCM instead of CBC?

GCM provides authenticated encryption — it both hides the data and detects tampering. CBC encrypts but leaves you to bolt on an HMAC, and many real-world bugs come from getting that combination wrong.

Can I encrypt files this way?

This tool is text-first. For files, paste their base64 representation or use a dedicated file-encryption utility — the AES-GCM math is the same but file framing adds complexity.

What happens if I lose the passphrase?

The ciphertext is unrecoverable. AES-256 with a strong passphrase has no practical backdoor; treat your passphrase like the secret itself.

Try AES Encryptor / Decryptor

An unhandled error has occurred. Reload ×