AES Encryption / Decryption

The Lock That Governments Trust for Classified Data

AES (Advanced Encryption Standard) was selected by NIST in 2001 after a five-year public competition involving 15 candidate algorithms from teams worldwide. It replaced DES, which had become crackable by dedicated hardware. The US government approved AES-256 for encrypting top-secret information in 2003 — the same standard this browser tool uses. Since then, no practical attack against AES-256 has been demonstrated. The best theoretical attack reduces the effective key space from 2^256 to 2^254 — a reduction of four possible keys out of an astronomically large space, with zero practical significance. When you encrypt something with AES-256-GCM here, you are using the same cryptographic primitive that protects classified government communications, HTTPS traffic, and full-disk encryption on your laptop.

Why GCM Changes Everything About Symmetric Encryption

Older AES modes like CBC (Cipher Block Chaining) provided confidentiality — they scrambled your data — but not integrity. An attacker who intercepted CBC-encrypted ciphertext could flip specific bits and produce corrupted-but-syntactically-valid plaintext on the other end without knowing the key. This class of attack (called a padding oracle attack) was responsible for major real-world breaches. GCM (Galois/Counter Mode) solved this by adding a cryptographic authentication tag to every encrypted message. If even a single bit of the ciphertext is modified — by an attacker, a transmission error, or storage corruption — decryption fails with an authentication error before any modified data is ever seen by the application. This property is called Authenticated Encryption with Associated Data (AEAD), and GCM is the most widely deployed AEAD mode in modern protocols including TLS 1.3, SSH and IPSec.

Turning a Passphrase Into a 256-Bit Key — PBKDF2 Explained

AES requires a key of exactly 256 bits (32 bytes). A human passphrase like "correct-horse-battery-staple" is neither the right length nor uniformly random — it cannot be used directly. PBKDF2 (Password-Based Key Derivation Function 2) bridges this gap. It takes your passphrase plus a randomly generated 16-byte salt, then runs SHA-256 hashing 100,000 times in a chain, producing a 256-bit output that is statistically indistinguishable from a random key. The 100,000 iterations are intentional slowdown — on your device it takes approximately 100ms, but for an attacker trying billions of passphrases against a stolen ciphertext, it means only about 10 attempts per second per GPU rather than billions. The salt ensures that two encryptions with the same passphrase produce completely different derived keys, defeating precomputed table attacks.

What the Base64 Output Actually Contains

The encrypted output is a single Base64 string, but it encodes four components concatenated together. The first 16 bytes are the random salt used for key derivation — unique per encryption, stored openly. The next 12 bytes are the IV (Initialisation Vector) — a random nonce that ensures the same plaintext encrypted twice produces different ciphertext even with the same passphrase. Then comes the ciphertext itself — the encrypted payload. Finally, the last 16 bytes are the GCM authentication tag — the cryptographic proof that nothing was modified. This self-contained format means decryption needs only two things: the Base64 string and the passphrase. No separate key files, no IV storage, no salt management. Copy the output anywhere — it is safe to store or transmit publicly because the ciphertext reveals nothing without the passphrase.

Scenarios Where Browser-Based AES Encryption Is the Right Choice

• Cloud storage of sensitive notes: Encrypt journal entries, medical notes or personal records before uploading to Google Drive or Dropbox — the provider cannot read the encrypted content even if subpoenaed
• Two-channel secure sharing: Encrypt a message, post the ciphertext in a public channel (email, Slack, Discord), share the passphrase via a completely separate channel (SMS, phone call) — only someone with both can decrypt
• API credential storage: Encrypt API keys, OAuth tokens and database credentials before committing to version control or storing in configuration files — if the repo is exposed, encrypted secrets are worthless without the passphrase
• Testing AES decryption implementations: Generate valid AES-256-GCM ciphertext to verify your application correctly handles the salt+IV+ciphertext+tag format and authentication tag verification
• Encrypting export files: Encrypt CSV exports of sensitive data before emailing to colleagues or archiving — use our Password Generator to create a strong passphrase first

The One Thing That Can Defeat AES-256 — Your Passphrase

AES-256-GCM itself has never been broken and is not the weak point. The weak point is always the passphrase. A short, predictable passphrase reduces an astronomical keyspace to a searchable one. "password123" as a passphrase means an attacker only needs to try common passwords — not 2^256 keys. PBKDF2 with 100,000 iterations slows this attack substantially but does not eliminate it if the passphrase is weak. Use our Password Generator to create a strong random passphrase (20+ characters, all character sets), store it in a password manager, and share it through a channel different from the ciphertext.

Nothing Leaves Your Browser — The Architecture Matters

All cryptographic operations use the browser's native Web Crypto API (crypto.subtle.encrypt, crypto.subtle.decrypt, crypto.subtle.deriveKey). This is the same hardware-accelerated implementation used by your browser for HTTPS. Your plaintext, passphrase and ciphertext never leave your device — there are no network requests, no server-side processing and no logging. Once you close the tab, all data is cleared from browser memory. This architecture is what makes the tool appropriate for encrypting genuinely sensitive material: confidential business documents, personal health information, legal correspondence and private financial data.

✓Verified by ToollyX Team · Last updated June 2026