AES Encrypt / Decrypt

You need to encrypt a configuration string before storing it, or verify that your server-side AES implementation produces the same ciphertext as the browser. This tool encrypts and decrypts data using AES-128 or AES-256 in CBC or GCM mode, entirely in your browser via the Web Crypto API.

AES Modes: CBC vs GCM

AES-CBC (Cipher Block Chaining) is the classic mode. Each block of plaintext is XORed with the previous ciphertext block before encryption. It requires a random IV (Initialization Vector) and produces ciphertext the same length as the padded input. CBC is widely supported but does not provide authentication — a separate HMAC is needed to detect tampering.

AES-GCM (Galois/Counter Mode) is the modern recommended mode. It combines encryption with authentication (AEAD — Authenticated Encryption with Associated Data). GCM produces a ciphertext plus a 16-byte authentication tag. Any modification to the ciphertext or associated data causes decryption to fail. The Web Crypto API supports GCM natively and GCM is preferred for new implementations.

Key Sizes: 128 vs 256

AES-128 uses a 128-bit (16-byte) key and AES-256 uses a 256-bit (32-byte) key. AES-128 is already considered computationally secure and is faster. AES-256 provides a larger security margin and is required by some compliance frameworks (FIPS, HIPAA). Both are standardized by NIST and supported by all major platforms.

How the Tool Works

1. Enter your plaintext and a passphrase or hex key
2. Choose AES-128 or AES-256, and CBC or GCM mode
3. For encryption: a random IV/nonce is generated, the key is derived from your passphrase using PBKDF2 (100,000 iterations, SHA-256), and the result is output as a Base64-encoded string containing the salt + IV + ciphertext
4. For decryption: paste the Base64 output from encryption, enter the same passphrase, and the original plaintext is recovered

Frequently Asked Questions

Is my data sent to a server? No. All encryption and decryption runs in your browser using the native Web Crypto API (crypto.subtle). No data leaves your device.

What is the IV and why is it random? The Initialization Vector (IV) ensures that encrypting the same plaintext twice produces different ciphertext. It does not need to be secret — it is typically prepended to the ciphertext. This tool generates a cryptographically random IV for each encryption.

Can I use a raw hex key instead of a passphrase? Yes. Toggle to “Hex Key” mode and enter a 32-character (AES-128) or 64-character (AES-256) hex string to use as the raw key material directly, bypassing PBKDF2.

Why does GCM decryption fail when I modify the ciphertext? GCM includes an authentication tag. If the ciphertext is modified, the tag verification fails and decryption is rejected. This is the expected behavior — GCM provides integrity protection.