AES Encryption Tool

Encrypt and decrypt text with a passphrase using AES-256-GCM in your browser. Your passphrase and text stay on your device.

The AES Encryption Tool runs entirely in your browser using the Web Crypto API. Your passphrase, the text you encrypt, and the resulting blob stay on your device and are never uploaded to ArrayKit. Because the passphrase is the only key, keep it somewhere safe — it cannot be recovered.

Open the Diceware Passphrase Generator

About AES Encrypt / Decrypt

The AES Encryption Tool encrypts a piece of text with a passphrase you choose and hands you back a single Base64 blob you can safely paste into a note, an email, or a chat. Under the hood your passphrase is stretched with PBKDF2 (SHA-256, 100,000 iterations) into a 256-bit key, then the text is sealed with AES-256-GCM using a fresh random salt and nonce, so encrypting the same message twice never produces the same output. Switch to Decrypt, paste the blob, type the same passphrase, and the original text comes back — a wrong passphrase or a single altered character fails the built-in authentication check. It is handy for sharing a secret, stashing an API token, or protecting a snippet before it touches storage you do not control. Everything runs on your device; the passphrase and text are never uploaded.

Features

How to use the AES Encrypt / Decrypt

  1. Keep the Encrypt tab selected and enter a strong passphrase
  2. Type or paste the text you want to protect
  3. Press Encrypt and copy the Base64 blob to share or store
  4. To reverse it, switch to Decrypt, paste the blob, and enter the same passphrase

Example

Input

text: Attack at dawn.
passphrase: correct horse battery staple

Output

AQIDBAUGBwgJCgsMDQ4PEKChoqOkpaanqKmqq5v0… (salt | nonce | AES-GCM ciphertext, Base64)

One passphrase in, one self-contained Base64 blob out — the salt and nonce travel with the ciphertext.

Common errors & troubleshooting

Frequently asked questions

How does this AES Encryption Tool protect my text?
It derives a 256-bit key from your passphrase with PBKDF2 (SHA-256, 100,000 iterations) and a random salt, then encrypts the text with AES-256-GCM using a random nonce. The salt, nonce, and ciphertext are packed into one Base64 blob, and all of it happens in your browser.
What happens if I enter the wrong passphrase when decrypting?
Decryption fails and you get an error instead of scrambled text. AES-GCM authenticates the ciphertext, so a wrong passphrase (or any change to the blob) makes the integrity check fail and nothing is returned — there is no partial or garbled output.
Why does encrypting the same text twice give different output?
A new random salt and 12-byte nonce are generated for every encryption. That means the same text and passphrase produce a different blob each time, which is by design — both blobs still decrypt back to the identical original text.
Can I decrypt a blob that another AES tool created?
Only if it uses the exact same scheme: PBKDF2-SHA256 at 100,000 iterations, a 16-byte salt, a 12-byte AES-GCM nonce, and the same salt|nonce|ciphertext framing. This tool's blobs are self-contained and are meant to be decrypted by its own Decrypt mode.
Where does the encryption happen, and is my passphrase stored anywhere?
Everything runs locally in your browser through the Web Crypto API. The passphrase is held in memory only while the page is open, the plaintext and blob stay on your device, and none of it is uploaded to ArrayKit or written to any server.
Is AES-256-GCM strong enough to share sensitive text?
AES-256-GCM is a modern authenticated cipher trusted for real-world use, so the weak link is the passphrase, not the algorithm. Use a long, unguessable passphrase — a Diceware phrase works well — and share the blob over a channel you trust.

Related tools

All ArrayKit tools