AES Encryption: Encrypt & Decrypt Text
AES encryption tool supporting AES-128 and AES-256 with GCM, CBC, and CTR modes. Free, browser-based, no data ever leaves your device.
What Is AES Encryption?
AES Encryption is a browser-based tool for encrypting and decrypting text using the Advanced Encryption Standard algorithm. It solves the everyday problem of needing to protect sensitive text — API keys, personal notes, credentials — without relying on third-party servers. You would use it whenever you need to share sensitive data over an insecure channel, store a secret safely, or verify you can decrypt your own ciphertext. Unlike most online encryption tools, this one uses the browser's native Web Crypto API and performs all operations locally, so your plaintext and password never leave your device.
Key Features
- AES-128 and AES-256 key sizes — The key size dropdown offers two options: 128-bit (10 rounds) and 256-bit (14 rounds). AES-256 is the default and the most widely recommended for high-security use.
- Three cipher modes: GCM (recommended), CBC, CTR — GCM provides authenticated encryption, detecting tampering automatically. CBC is widely supported but requires careful IV management. CTR turns the block cipher into a stream cipher, useful for certain protocols.
- Password-based key derivation via PBKDF2 — Your password is never used directly as a key. The tool runs 100,000 iterations of PBKDF2 with SHA-256 and a randomly generated 16-byte salt, producing a hardened key.
- Base64 and Hex output formats — Choose Base64 for compact text transport or Hex for human-readable byte inspection.
- Batch mode — Encrypt or decrypt multiple strings at once, with results displayed in an indexed table and a single "Copy All Results" button.
- Randomized salt and IV per operation — Every encryption generates a fresh salt (16 bytes) and IV (12 bytes for GCM, 16 bytes for CBC/CTR), embedded in the output so decryption is self-contained.
- 100% client-side using the Web Crypto API — No server, no account, no network request after the page loads.
How to Use AES Encryption
Step 1: Choose your cipher settings
Open the AES Encryption tool. At the top of the controls card you will see four dropdowns:
- Mode — Select "Encrypt" or "Decrypt"
- Key Size — Select AES-128 or AES-256
- Cipher Mode — Select GCM, CBC, or CTR (GCM is labeled "recommended")
- Output Format — Select Base64 or Hex
For most use cases, keep the defaults: Encrypt, AES-256, GCM, Base64.
Step 2: Enter your password
Type a password in the Password field. Click the eye icon on the right to toggle visibility. The password hint below the field reminds you that PBKDF2 key derivation is applied, so any password of reasonable length is hardened before use. The Encrypt/Decrypt button remains disabled until both the password and input fields contain text.
Step 3: Enter your plaintext and encrypt
Type or paste your text into the left "Plaintext" textarea. Click the Encrypt button. The tool generates a random salt and IV, derives your key via PBKDF2 (100,000 iterations, SHA-256), encrypts using the Web Crypto API, and combines salt + IV + ciphertext into a single encoded blob.
Example input:
{"api_key": "sk-prod-abc123xyz", "expires": "2026-12-31"}Example Base64 output (GCM mode, AES-256):
3q2+7wABAgMEBQYHCAkKCwwNDg/aBcDeFgHiJkLmNoPqRsTuVwXyZabc...A success toast confirms the operation. The output appears in the right "Ciphertext" textarea with a Copy button.
Step 4: Decrypt ciphertext
Switch the Mode dropdown to "Decrypt". Paste the Base64 or Hex ciphertext into the input field. Enter the same password you used during encryption and click Decrypt. The tool extracts the embedded salt and IV from the blob, re-derives the key, and decrypts. The recovered plaintext appears in the output area.
Step 5 (Optional): Use batch mode
Toggle "Batch Mode" in the controls card. Enter one plaintext string per line in the batch input. Click "Encrypt All" or "Decrypt All". A progress indicator tracks each item. Results appear in a table with columns for index, input, and output. Click "Copy All Results" to copy the entire output batch to your clipboard.
Practical Examples
Protecting API credentials before storage
A developer needs to store a third-party API key in a configuration file that will be checked into version control.
Input:
STRIPE_SECRET_KEY=sk_live_4eC39HqLyjWDarjtT1zdp7dcAfter encrypting with AES-256-GCM and outputting as Base64, the stored value is an opaque blob. Only someone with the password can recover the original key. This approach is not a replacement for proper secrets management, but it adds a meaningful layer of protection for low-risk environments.
Sharing a password over an insecure channel
You need to send a Wi-Fi password to a family member via an unencrypted messaging app. Encrypt the password with a shared passphrase you agreed on verbally, send the ciphertext, and let the recipient decrypt it on their device.
The GCM mode ensures that if any character in the ciphertext is altered in transit, decryption fails with an authentication error rather than silently producing corrupted output.
Batch encrypting a list of PII records
A data analyst needs to pseudonymize 50 email addresses before inserting them into a shared spreadsheet. Enable batch mode, paste all 50 addresses one per line, set a strong password, click "Encrypt All", and copy the entire result set in one operation.
Tips and Best Practices
Use GCM unless you have a specific reason not to. GCM provides authenticated encryption: the auth tag embedded in the output verifies both confidentiality and integrity. CBC and CTR do not authenticate ciphertext, meaning bit-flipping attacks are theoretically possible.
Your password strength matters more than key size. PBKDF2 with 100,000 SHA-256 iterations hardens weak passwords, but a 6-character password is still weaker than a 20-character passphrase. Use the Password Suite to generate a strong password before encrypting sensitive data.
The output blob is self-contained. The tool prepends the salt (16 bytes) and IV (12 bytes for GCM) to the ciphertext before encoding. You do not need to store the salt or IV separately — they are embedded in every output string.
Do not use CBC mode without understanding padding. CBC mode uses PKCS7 padding automatically via the Web Crypto API. If you copy ciphertext that is missing padding characters (common when text is truncated), decryption will fail.
Batch mode uses the same password for every item. There is no per-item password in batch mode. If you need different keys per record, process items individually.
Common Issues and Troubleshooting
"Decryption error" when the password is correct — This almost always means the cipher mode or output format does not match what was used during encryption. If you encrypted with GCM and Base64, you must decrypt with GCM and Base64. The salt and IV lengths differ between modes (GCM uses a 12-byte IV; CBC and CTR use 16 bytes), so a mode mismatch causes the slice offsets to misalign and decryption fails.
"Invalid format" error on decryption — The input to the decrypt operation must be valid Base64 or Hex (matching the selected output format). If you selected Hex output during encryption but paste a Base64 string for decryption, the hex parser throws an invalid format error. Check for truncated or line-wrapped ciphertext as well.
Encrypt button stays disabled — Both the password field and the input textarea must contain text. The button is disabled if either is empty.
Output looks different each time for the same input — This is correct and expected. A fresh random salt and IV are generated for every encryption operation. The same plaintext will always produce a different ciphertext, which is a security property, not a bug.
Batch mode shows errors for some items — Each item is processed independently. An item-level error (e.g., malformed Base64 on one line during decryption) is shown inline in the results table without stopping the other items.
Privacy and Security
All encryption and decryption happens entirely in your browser using the native Web Crypto API. No data — plaintext, ciphertext, or passwords — is sent to any server. The tool works offline after the page has loaded. There are no analytics tied to your inputs, no session storage of your keys, and no logging of operations. It is safe to use with sensitive production credentials, personal data, or private communications.
Frequently Asked Questions
Is AES Encryption free to use?
Yes, the AES Encryption tool is completely free. There is no account required, no usage limit, and no premium tier for the encryption functionality itself. The tool runs entirely in your browser, so there are no ongoing server costs that would justify charging for use.
Does AES Encryption work offline?
Yes. Once the page has loaded in your browser, all operations — key derivation, encryption, decryption — execute locally using the Web Crypto API. You can disconnect from the internet and continue using the tool without interruption. This also means the tool cannot phone home even if it wanted to.
Is my data safe with AES Encryption?
Your data never leaves your browser. The Web Crypto API is a browser-native cryptographic interface that has been audited as part of the browser itself. The specific implementation uses PBKDF2 with 100,000 SHA-256 iterations for key derivation and fresh random salts and IVs for every operation. You can inspect the source code directly in your browser's developer tools to verify these claims.
What is the difference between AES-128 and AES-256?
The numbers refer to the key length in bits. AES-128 uses 10 cipher rounds and AES-256 uses 14. Both are considered secure against brute-force attacks with current and near-future hardware. The practical difference for most use cases is negligible. AES-256 is the default because it offers the largest security margin and is required by some compliance frameworks (e.g., certain NIST and FIPS contexts). The AES standard also defines AES-192 (12 rounds), but the Web Crypto API in most browsers only supports AES-128 and AES-256, which are also the most commonly used key sizes.
What is the difference between GCM, CBC, and CTR modes?
GCM (Galois/Counter Mode) is an authenticated encryption mode: it produces an authentication tag that allows the decryptor to verify the ciphertext has not been tampered with. CBC (Cipher Block Chaining) and CTR (Counter) modes encrypt data but do not authenticate it; a modified ciphertext decrypts to garbage rather than producing an error. GCM is recommended for almost all use cases. CBC is widely supported in legacy systems. CTR is useful in streaming contexts.
Can I decrypt ciphertext encrypted by another AES tool?
Not directly. The output format used here concatenates salt (16 bytes) + IV (12 bytes for GCM, 16 for CBC/CTR) + ciphertext before Base64 or Hex encoding. Other tools may use different formats, different IV lengths, or different key derivation schemes. If you know the exact parameters used by the other tool, you can manually provide the key as a raw hex value — but the current implementation uses password-based derivation (PBKDF2) rather than accepting raw keys.
What output format should I use, Base64 or Hex?
Base64 is more compact (roughly 33% shorter than Hex for the same data) and is the better choice when you need to embed ciphertext in JSON, URLs, or text files. Hex is more readable byte-by-byte and is preferred when you need to inspect or manipulate individual bytes. Both formats carry identical information; the choice is purely about how the bytes are represented.
What happens if I lose my password?
There is no password recovery. The key derivation is a one-way process: PBKDF2 with 100,000 iterations converts your password and the embedded salt into a key. Without the original password, the key cannot be reproduced and the ciphertext cannot be decrypted. Store your password securely — for example, in a password manager.
Does batch mode preserve the order of inputs?
Yes. Results in the batch table are indexed to match the input line order. The index column shows the 1-based position of each item, and the table preserves the original sequence regardless of how fast individual items complete.
Can I use this tool to encrypt files?
The current tool is designed for text input only. It accepts text via the textarea, not file uploads. For encrypting binary files, you would need a dedicated file encryption tool.
Related Tools
- Password Suite — Generate strong passwords to use as encryption keys before running AES operations.
- RSA Key Generator — Generate RSA key pairs for asymmetric encryption workflows that complement AES symmetric encryption.
- SSH Key Generator — Create Ed25519 or RSA SSH keys for authenticating to remote servers securely.
Try AES Encryption now: Glyph Widgets AES Encryption Tool