Skip to content
epitometool

AES text encrypt/decrypt

Security tools

Encrypt and decrypt text locally with AES-256-GCM and passphrase-derived keys.

Updated

Encrypt

Cipher payload

Quick start

How to encrypt text with AES

Encrypt/decrypt text locally with passphrase-derived AES key.

  1. Step 1
    Enter plaintext

    Type message and passphrase.

  2. Step 2
    Encrypt

    Generate JSON payload containing salt, IV and ciphertext.

  3. Step 3
    Decrypt

    Use same passphrase to restore plaintext.

In-depth guide

AES-256-GCM encryption in your browser: how it works and when to use it

This tool encrypts and decrypts text with AES-256-GCM, the same authenticated cipher used by TLS, disk encryption and password managers. The encryption key is stretched from your passphrase with PBKDF2-SHA-256, and every message gets a fresh random salt and initialisation vector. All of it runs locally in your browser through the WebCrypto API — the text and passphrase never leave the page.

How the encryption works

AES-256-GCM is an authenticated cipher: it both hides the content and detects tampering. Because AES needs a fixed-length key, your passphrase is first run through PBKDF2-SHA-256 with a random salt to derive a 256-bit key. A random 96-bit IV (nonce) is generated for every encryption so the same text and passphrase never produce the same ciphertext twice.

The output is a small JSON bundle containing the salt, IV, ciphertext and the GCM authentication tag. Decryption re-derives the key from that salt and verifies the tag before returning any plaintext.

How to use it step by step

  1. Paste the text you want to protect and type a passphrase you can remember.
  2. Choose Encrypt and copy the JSON payload that appears.
  3. Store or send that payload. To recover the text, paste it back, enter the exact same passphrase and choose Decrypt.

The passphrase is the only secret — keep the JSON bundle wherever is convenient, since it is useless without the passphrase.

When to use it vs alternatives

Use this for quick, one-off secrets: a note you want to email, a token you need to hand to a colleague, or a snippet you want to keep in plain sight but unreadable. For ongoing storage of many credentials, a dedicated password manager is better. For files and long-term archives, reach for GPG or age, which handle key management, recipients and large inputs.

Pitfalls, security and privacy

There is no recovery path. If you forget the passphrase, the ciphertext is gone for good — by design, there is no backdoor.
  • Passphrase strength is everything. AES-256 is unbreakable in practice, but a weak passphrase can be guessed. Use a long, random phrase.
  • The payload format is specific to this tool. It is standard AES-GCM, but the JSON envelope is custom, so decrypt it here rather than expecting another library to read it as-is.
  • Nothing is uploaded. Encryption, decryption and key derivation all happen in your browser via WebCrypto; close the tab when you are done with sensitive text.

Frequently asked questions

Which algorithm and key derivation does it use?

AES-256-GCM for authenticated encryption, with the key derived from your passphrase using PBKDF2-SHA-256 and a random per-message salt and 96-bit IV.

Does my text or passphrase leave the browser?

No. Encryption, decryption and key derivation all run locally through the WebCrypto API. Nothing is uploaded, stored or logged.

What happens if I forget the passphrase?

The data is unrecoverable. There is no backdoor or reset by design — a strong cipher with a lost key means the ciphertext stays unreadable.

Can I decrypt the output with another tool?

The cipher is standard AES-GCM, but the JSON envelope that bundles the salt, IV and tag is specific to this tool, so decrypt it here rather than expecting a generic library to read it unchanged.

Why does the same text produce different output each time?

A fresh random salt and IV are generated for every encryption, so identical input never yields identical ciphertext. This is intentional and improves security.

Is this safe for real production secrets?

It is solid for quick personal use, but for managing many credentials use a password manager, and for files or long-term archives use GPG or age, which handle key management and large inputs.

Keep exploring

More tools you'll like

Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.

More security tools

See all →

Popular across EpitomeTool

Browse all →
Browse all 212+ free tools