AES Encryption Tool
Encrypt and decrypt text with a passphrase using AES-256-GCM in your browser. Your passphrase and text stay on your device.
The AES Encryption Tool runs entirely in your browser using the Web Crypto API. Your passphrase, the text you encrypt, and the resulting blob stay on your device and are never uploaded to ArrayKit. Because the passphrase is the only key, keep it somewhere safe — it cannot be recovered.
Open the Diceware Passphrase Generator
About AES Encrypt / Decrypt
The AES Encryption Tool encrypts a piece of text with a passphrase you choose and hands you back a single Base64 blob you can safely paste into a note, an email, or a chat. Under the hood your passphrase is stretched with PBKDF2 (SHA-256, 100,000 iterations) into a 256-bit key, then the text is sealed with AES-256-GCM using a fresh random salt and nonce, so encrypting the same message twice never produces the same output. Switch to Decrypt, paste the blob, type the same passphrase, and the original text comes back — a wrong passphrase or a single altered character fails the built-in authentication check. It is handy for sharing a secret, stashing an API token, or protecting a snippet before it touches storage you do not control. Everything runs on your device; the passphrase and text are never uploaded.
Features
- Encrypt any text with a passphrase into one portable Base64 blob
- AES-256-GCM authenticated encryption detects tampering on decrypt
- PBKDF2 with SHA-256 and 100,000 iterations stretches your passphrase into the key
- A fresh random salt and nonce per message, carried inside the blob
- Decrypt mode restores the original text from the blob and passphrase
- A wrong passphrase or altered ciphertext fails with a clear message
- Show and hide toggle keeps the passphrase masked while you type
- Runs on your device via the Web Crypto API with nothing uploaded
How to use the AES Encrypt / Decrypt
- Keep the Encrypt tab selected and enter a strong passphrase
- Type or paste the text you want to protect
- Press Encrypt and copy the Base64 blob to share or store
- To reverse it, switch to Decrypt, paste the blob, and enter the same passphrase
Example
Input
text: Attack at dawn.
passphrase: correct horse battery staple
Output
AQIDBAUGBwgJCgsMDQ4PEKChoqOkpaanqKmqq5v0… (salt | nonce | AES-GCM ciphertext, Base64)
One passphrase in, one self-contained Base64 blob out — the salt and nonce travel with the ciphertext.
Common errors & troubleshooting
- Decrypt says 'Wrong passphrase, or the encrypted text has been modified.' — Retype the exact passphrase — it is case-sensitive — and confirm the whole Base64 blob was pasted with no missing or extra characters. AES-GCM rejects even a one-byte change.
- Decrypt reports that the input is not valid Base64. — Paste only the blob the tool produced. Stray quotes, line wrapping, or a truncated copy break Base64 decoding, so copy it again with the copy button.
- I forgot the passphrase and cannot get my text back. — The passphrase is the only key — there is no recovery or reset. Without it the ciphertext cannot be decrypted, so store the passphrase separately from the blob.
- The same text produced a different blob than last time. — That is expected. A new random salt and nonce are generated on every encryption, so the output changes each run while still decrypting to the same text with your passphrase.
Frequently asked questions
- How does this AES Encryption Tool protect my text?
- It derives a 256-bit key from your passphrase with PBKDF2 (SHA-256, 100,000 iterations) and a random salt, then encrypts the text with AES-256-GCM using a random nonce. The salt, nonce, and ciphertext are packed into one Base64 blob, and all of it happens in your browser.
- What happens if I enter the wrong passphrase when decrypting?
- Decryption fails and you get an error instead of scrambled text. AES-GCM authenticates the ciphertext, so a wrong passphrase (or any change to the blob) makes the integrity check fail and nothing is returned — there is no partial or garbled output.
- Why does encrypting the same text twice give different output?
- A new random salt and 12-byte nonce are generated for every encryption. That means the same text and passphrase produce a different blob each time, which is by design — both blobs still decrypt back to the identical original text.
- Can I decrypt a blob that another AES tool created?
- Only if it uses the exact same scheme: PBKDF2-SHA256 at 100,000 iterations, a 16-byte salt, a 12-byte AES-GCM nonce, and the same salt|nonce|ciphertext framing. This tool's blobs are self-contained and are meant to be decrypted by its own Decrypt mode.
- Where does the encryption happen, and is my passphrase stored anywhere?
- Everything runs locally in your browser through the Web Crypto API. The passphrase is held in memory only while the page is open, the plaintext and blob stay on your device, and none of it is uploaded to ArrayKit or written to any server.
- Is AES-256-GCM strong enough to share sensitive text?
- AES-256-GCM is a modern authenticated cipher trusted for real-world use, so the weak link is the passphrase, not the algorithm. Use a long, unguessable passphrase — a Diceware phrase works well — and share the blob over a channel you trust.
Related tools
- Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
- HMAC Generator — Generate an HMAC (SHA-256, SHA-1, SHA-512) from a message and secret key using Web Crypto.
- File Hash Checksum — Compute MD5, SHA-1, SHA-256 and SHA-512 checksums of files and compare against an expected hash.
- Base64 Encode / Decode — UTF-8 safe Base64 encoding and decoding.
- Diceware Passphrase Generator — Generate a memorable, high-entropy passphrase from the EFF word list, in your browser.
- Bcrypt Generator — Hash a password with bcrypt and verify a password against a bcrypt hash, in your browser.
All ArrayKit tools