Security
Text Encryption
The Text Encrypt tool encrypts and decrypts plain text using AES (Advanced Encryption Standard) with a passphrase. The passphrase is stretched to a 256-bit key using PBKDF2 with a random salt. AES-GCM mode provides authenticated encryption that also detects tampering. All cryptographic operations run in the browser using the Web Crypto API – your text and passphrase never leave your device.
What is symmetric encryption?
Symmetric encryption uses the same key (or passphrase-derived key) to both encrypt and decrypt data. The sender and receiver must both know the secret key. AES (Advanced Encryption Standard) is the most widely used symmetric cipher, standardized by NIST in 2001. AES-256 uses a 256-bit key and is considered secure against all known attacks, including quantum computers up to Grover's algorithm halving effective key length to 128 bits. AES-GCM (Galois/Counter Mode) is an authenticated encryption mode that produces both a ciphertext and an authentication tag, preventing undetected tampering with the ciphertext. AES-CBC (Cipher Block Chaining) is an older mode that provides confidentiality but not built-in authentication.
How does the tool work?
The tool derives a 256-bit AES key from the user passphrase using PBKDF2-HMAC-SHA256 with a randomly generated 16-byte salt and 600,000 iterations (NIST 2023 recommendation). In AES-GCM mode, a random 12-byte IV (initialization vector) is generated for each encryption operation. The plaintext is encrypted using SubtleCrypto.encrypt(), producing ciphertext and a 16-byte authentication tag. The salt, IV, and ciphertext+tag are concatenated and Base64-encoded to produce a portable encrypted string. Decryption extracts the salt and IV, re-derives the key using PBKDF2, and calls SubtleCrypto.decrypt() which verifies the authentication tag before returning the plaintext.
Typical Use Cases
- Encrypting sensitive notes or configuration snippets for secure storage or sharing
- Learning how AES-GCM authenticated encryption works in practice
- Protecting a secret message for transmission over an insecure channel
- Testing AES encryption parameters before implementing them in application code
Step-by-step Guide
- Step 1: Enter the plain text you want to encrypt in the input area.
- Step 2: Enter a strong passphrase (use the Password Generator for a high-entropy one).
- Step 3: Click 'Encrypt' – the tool outputs a Base64-encoded ciphertext string.
- Step 4: To decrypt, paste the ciphertext, enter the same passphrase, and click 'Decrypt'.
Example
Input
Secret message | Passphrase: MyStr0ngP@ss
Output
Base64-encoded AES-GCM ciphertext (salt + IV + ciphertext + tag)
Tips & Notes
- The security of the encrypted message depends entirely on the passphrase strength – use a high-entropy passphrase, not a dictionary word.
- AES-GCM authentication tag detection means that if anyone modifies even one bit of the ciphertext, decryption will fail with an authentication error.
- This tool is suitable for low-to-medium security use cases. For high-security or enterprise needs, use established end-to-end encrypted tools (Signal, PGP, Tresorit).
Frequently Asked Questions
What is the difference between AES-GCM and AES-CBC?
AES-GCM provides authenticated encryption – it encrypts and also produces an authentication tag that verifies data integrity. If the ciphertext is tampered with, decryption fails. AES-CBC provides only confidentiality without integrity protection, requiring a separate HMAC for authentication (AES-CBC + HMAC is sometimes called AES-CBC-HMAC).
Is the encryption output portable?
Yes. The encrypted string contains everything needed to decrypt it (salt, IV, ciphertext, tag) encoded as Base64. You can share it and decrypt it with any AES-GCM implementation that uses the same PBKDF2 key derivation parameters.
Can I lose my data if I forget the passphrase?
Yes. There is no backdoor or recovery mechanism. If you forget the passphrase, the encrypted data cannot be recovered. Store the passphrase securely in a password manager.
Text Encryption
Encrypt and decrypt plaintext using AES, TripleDES, Rabbit, or RC4 — with selectable mode and output format.
Open Tool