logo
GeekFormat

AES Encrypt / Decrypt

Please read before use

This tool runs entirely in your browser. No plaintext, ciphertext, or key is sent to a server.

It is intended for development, debugging, learning and self-managed scenarios. Do not use this page as the only protection for production secrets, customer data, or anything that requires auditing.

For real applications: use audited libraries (libsodium, OpenSSL, AWS Encryption SDK), a real KDF (Argon2id ≥ 1 iteration / 64 MiB), AEAD modes only, and manage keys on the server with proper access control.

Algorithm Mode
Key size
Ciphertext format (encrypt output / decrypt input)
Key source
Plaintext

UTF-8 text

Mode comparison — GCM vs CBC vs CTR
ModeAuthenticationIV requirementPerformanceRecommended use
AES-GCMYes (AEAD, 128-bit tag)12 bytes (recommended); never reuse with same keyFast, hardware-acceleratedDefault — modern API, file encryption, anything authenticated
AES-CBCNo — must add HMAC/MAC16 bytes; unpredictable (CSPRNG) and never reuseFast, hardware-acceleratedLegacy TLS, disk encryption (XTS-AES), never use raw for new designs
AES-CTRNo — must add HMAC/MAC16 bytes; never reuse with same key (catastrophic if reused)Fastest, parallelizableRandom-access streams, disk encryption, but combine with MAC

Reading the table

  • AES-GCM is the only AEAD among the three — it both encrypts and authenticates in one step. If you don't know which to choose, choose GCM.
  • CBC and CTR only provide confidentiality. They need a separate MAC (HMAC-SHA256, compute-then-MAC) or they are vulnerable to chosen-ciphertext and bit-flipping attacks.
  • Both IV and nonce must be unique per (key, message). GCM with a reused IV leaks the authentication key — treat as catastrophic.

Mode and format notes

  • Browser SubtleCrypto only provides GCM, CBC, and CTR for AES—not ECB, CFB, or OFB (to prevent weak usage). For other modes, use OpenSSL or a server-side library.
  • Ciphertext format options: Hex / Base64 / Base64URL, aligned with CyberChef, APIs, JWT, etc. Both encrypt and decrypt sides must use the same format.
  • Under AES-GCM, output is a continuous byte stream of "ciphertext + authentication tag"; this tool encodes the entire block into the selected format—paste the whole block when decrypting.

Notes

  • Web Crypto runs entirely in the browser; GCM is authenticated encryption, suitable for default scenarios.
  • On encrypt, leave IV empty and the tool will generate a random IV and fill it above for reuse during decryption.
  • On decrypt, leave IV empty to try an all-zero vector (only valid when the other party uses the same convention).

Free online AES encrypt/decrypt tool for AES-CBC, AES-GCM, and AES-CTR. Supports AES-128/192/256 keys, Hex/Base64/Base64URL ciphertext formats, PBKDF2-SHA256 password-based key derivation, random IV/salt generation, and browser-only Web Crypto processing.

Related

Use Cases

  • Encrypt a small text snippet with AES-GCM before sharing it through a controlled channel
  • Decrypt API payloads during frontend-backend integration when you need to compare IV, key, mode, and output format
  • Test whether a backend returns Hex, Base64, or Base64URL ciphertext and reproduce the same format in the browser
  • Generate PBKDF2-derived AES keys from passwords to understand salt, iteration count, and derived key size behavior
  • Compare AES-CBC, AES-GCM, and AES-CTR outputs side by side while learning how symmetric encryption modes differ
  • Create deterministic test vectors by fixing key, IV, salt, plaintext, mode, key size, and output encoding

Features

  • Three encryption modes: AES-CBC, AES-GCM authenticated encryption, and AES-CTR for mainstream encryption scenarios
  • Three key sizes: AES-128, AES-192, and AES-256, with AES-256 as the strongest default choice
  • Password-based encryption: derive AES keys with PBKDF2-SHA256 and 100,000 iterations instead of using weak raw passwords directly
  • Real-time password strength checks: length, uppercase, lowercase, digits, symbols, and common-password checks help users choose safer passwords
  • Random IV and salt generation: one click creates cryptographically random IV/salt values and writes them back into the UI for repeatable decryption
  • Multiple ciphertext formats: Hex, Base64, and Base64URL for API debugging, JWT-style transport, configuration files, and command-line interoperability
  • GCM authentication tag handling: the tool packages ciphertext + auth tag and flags verification failures when ciphertext, key, IV, or salt do not match
  • Browser-only Web Crypto: encryption and decryption run locally in the browser; plaintext, ciphertext, passwords, and keys are never uploaded
  • Mode comparison guidance: built-in notes explain when to choose GCM, CBC, or CTR and why IV/nonce reuse is dangerous
  • Developer-friendly copy workflow: generated keys, IVs, salts, ciphertext, and plaintext can be copied for API tests and troubleshooting

How to Use

  1. Choose encrypt or decrypt mode, then select AES-GCM, AES-CBC, or AES-CTR and the key size you need
  2. Use either a Hex key or a password. For password mode, enter a strong password and let PBKDF2 derive the AES key
  3. Pick the ciphertext format: Hex, Base64, or Base64URL. Keep the same format on both encryption and decryption sides
  4. For encryption, leave IV/salt empty to auto-generate secure random values; for decryption, paste the same IV/salt or use the header embedded by password mode
  5. Copy the output ciphertext or plaintext and keep mode, key size, IV, salt, and format together for reproducible decryption

FAQ

What is the difference between AES-CBC, AES-GCM, and AES-CTR?

CBC is a classic block mode that needs an IV and a separate MAC for integrity. GCM is authenticated encryption (AEAD) and can detect tampering, making it the recommended default for modern APIs. CTR turns AES into a stream-like mode and is fast and parallelizable, but it also needs a separate MAC. If unsure, choose GCM.

What is PBKDF2 key derivation and why is it needed?

PBKDF2 converts a human password into a stronger encryption key. This tool uses PBKDF2-SHA256 with 100,000 iterations and a random salt for each encryption. Compared with using a password directly as a key, PBKDF2 makes brute-force attacks more expensive and avoids identical passwords producing identical keys.

What is the difference between Hex key mode and password mode?

Hex key mode uses a raw 32/48/64-character hexadecimal key and is useful when matching a backend API or fixed test vector. Password mode accepts a memorable password and derives the AES key with PBKDF2, embedding or carrying salt information so the ciphertext can be decrypted later with the same password.

What does the password strength check measure?

The tool checks password length, uppercase letters, lowercase letters, digits, symbols, and common weak-password patterns. It shows weak/fair/good/strong guidance so you can avoid short or predictable passwords. For sensitive data, use a long random password generated by a password manager.

Why does AES-GCM decryption fail?

AES-GCM verifies an authentication tag. Failure usually means the key/password is wrong, IV or salt does not match, the ciphertext was modified, the output format was decoded incorrectly, or a different AES mode/key size was selected. Match every parameter from encryption to decryption.

Is this online AES encrypt/decrypt tool safe?

The cryptographic operations run with the browser Web Crypto API, and the page does not upload plaintext, ciphertext, passwords, or keys. It is suitable for development, API debugging, and learning. For highly sensitive production data, use audited local or server-side tooling with proper key management.

Which AES key lengths are supported?

The tool supports AES-128 (16-byte key), AES-192 (24-byte key), and AES-256 (32-byte key). AES-256 is the strongest and default-friendly option; AES-128 remains secure and can be faster; AES-192 is mostly used for specific compliance or interoperability requirements.

What is the difference between Hex, Base64, and Base64URL output?

Hex is easy to read and debug but larger. Base64 is more compact and common in JSON/configuration files. Base64URL replaces characters that are awkward in URLs and removes padding, making it suitable for URL parameters, JWT-style fields, and web transport.

How do I decrypt ciphertext generated by this tool?

In password mode, the salt and IV are included in the encoded output header and the tool can extract them during decryption. In Hex key mode, keep the key, IV, mode, key size, and output format from the encryption step and enter the same values when decrypting.

Can I use this tool to learn AES encryption?

Yes. You can switch between GCM, CBC, and CTR, compare output formats, see how IV and salt values affect results, and observe how PBKDF2 derives keys from passwords. It is a practical way to understand AES behavior before implementing it in application code.

What is AES Encrypt / Decrypt?

AES (Advanced Encryption Standard) is the modern symmetric block cipher used by browsers, TLS stacks, databases, cloud services, mobile apps, and operating systems to protect data with the same secret key for encryption and decryption. A correct AES setup is defined not only by the key, but also by mode, IV/nonce, padding or tag behavior, and output encoding.

AES-GCM is the recommended default for new designs because it is AEAD: it encrypts data and authenticates it at the same time. That means decryption fails if the ciphertext, key, IV, salt, or authentication tag has been changed. CBC and CTR only provide confidentiality and must be combined with a separate MAC such as HMAC-SHA256 for production protocols.

Password-based encryption needs a key derivation function. Human passwords are rarely random enough to be AES keys, so this tool uses PBKDF2-SHA256 with 100,000 iterations and a random salt to derive the actual AES key. The salt prevents identical passwords from producing identical derived keys and raises the cost of brute-force attacks.

IV and nonce handling is critical. GCM normally uses a 12-byte IV and must never reuse the same IV with the same key. CBC uses a 16-byte unpredictable IV. CTR uses a counter/nonce construction and reuse can be catastrophic. This tool auto-generates safe IV values during encryption and makes the value visible so decryption can reproduce the same parameters.

This page is designed for development, debugging, education, and self-managed encryption tests. For production secrets, regulated data, and customer information, use audited cryptographic libraries, server-side key management, access control, audit logs, and a modern KDF such as Argon2id where appropriate.