AES Encrypt Online — Free AES-256-GCM Text Encryption

Encrypt text with a passphrase using AES-256-GCM authenticated encryption and PBKDF2-SHA256 key derivation. Runs entirely in your browser through the Web Crypto API — passphrase and plaintext never leave the device.

PassphraseLength: 0 chars · PBKDF2-SHA256 · 250,000 iterations

Plaintext Input

Ciphertext (base64)

Click Encrypt to produce the AES-256-GCM ciphertext (base64-encoded salt || iv || ct).

Privacy & security: Your passphrase and plaintext never leave the browser. Encryption uses AES-256-GCM (authenticated encryption — tampering is detected) with keys derived from the passphrase via PBKDF2-HMAC-SHA256, 250,000 iterations and a fresh 16-byte random salt and 12-byte random IV per message. All primitives come from the browser native Web Crypto SubtleCrypto API.

What is AES Encryption?

AES (Advanced Encryption Standard) is the symmetric cipher used to protect almost everything you transmit or store today — TLS, disk encryption, password managers, signed JWTs, encrypted backups, messaging apps. This tool runs AES-256-GCM: a 256-bit key in Galois/Counter Mode, providing both confidentiality and authentication in a single primitive.

Because users do not type 256-bit keys directly, the key is derived from your passphrase using PBKDF2-HMAC-SHA256 with 250,000 iterations and a random 16-byte salt. The salt forces an attacker to redo all that work for every guess; the iteration count slows each guess by ~250,000×. The resulting key is fed to AES-GCM with a fresh 12-byte IV, and the salt, IV, and ciphertext are packed into a single base64 string ready to share.

How to encrypt text online — 4 steps

Paste your plaintext. Anything textual — credentials, recovery phrases, env files, JSON payloads. UTF-8 encoding is applied automatically.
Pick a passphrase. Long and random beats short and clever. Four or more random dictionary words, or a 16+ character random string from a password manager.
Click Encrypt. The browser derives the AES-256 key with PBKDF2 (~250k SHA-256 hashes) and encrypts under AES-GCM. A new salt and IV are generated every run.
Copy the base64 ciphertext. Share it through any channel. To recover the plaintext, the receiver uses the AES Decrypt tool with the same passphrase.

Output format — what is in the base64?

The base64 string packs three pieces of data so a recipient needs only the ciphertext and the passphrase — never a separate salt or IV:

base64( salt(16 bytes)  ||  iv(12 bytes)  ||  ciphertext(N + 16 bytes GCM tag) )

  bytes 0..15    salt   — used for PBKDF2 on the decrypt side
  bytes 16..27   iv     — required by AES-GCM, must be unique per message
  bytes 28..end  ct+tag — AES-256-GCM ciphertext with 128-bit authentication tag

This is the same self-contained layout used by libraries like age headers, AWS encryption SDK envelopes, and most modern AEAD wrappers — store one blob, decrypt with one secret.

AES-256-GCM

256-bit key, Galois/Counter Mode. Authenticated encryption — any tampering with the ciphertext is detected at decryption time and surfaces as an error.

PBKDF2 Key Derivation

250,000 iterations of HMAC-SHA256 with a fresh random salt every run, raising the cost of any offline brute-force attack against your passphrase.

Browser-Only Crypto

Web Crypto SubtleCrypto runs the cipher inside your browser process. The passphrase, plaintext, and derived key never reach a server or third-party.

Common use cases

check_circleEncrypting recovery phrases or seed words before storing in cloud notes
check_circleSharing API keys or database credentials with a teammate over an untrusted channel
check_circleWrapping .env contents before committing an encrypted snapshot to a private gist
check_circleProtecting personal journal entries or local-first app payloads
check_circleAdding a passphrase layer on top of an already-encrypted backup
check_circleDemonstrating AEAD encryption in security training and code reviews
check_circleProducing reproducible test ciphertexts for unit tests of decrypt logic
check_circleQuickly verifying that downstream PBKDF2 / AES-GCM code interoperates with a browser baseline

Why authenticated encryption matters

Plain AES-CBC keeps ciphertext confidential but does not stop an attacker who can intercept the bytes from changing them. The classic padding-oracle attacks against CBC let attackers decrypt or forge messages a byte at a time by observing how the receiver reacts to corrupted ciphertext. AES-GCM closes that hole: it returns a ciphertext plus a 128-bit authentication tag, and decryption refuses to produce plaintext if the tag does not verify. For new code, AEAD modes — AES-GCM or ChaCha20-Poly1305 — are the only sensible default.

Why client-side encryption matters

A web tool that asks for your passphrase and then sends it to a server is the wrong tool for the job — you have to trust the server, the operator, the TLS chain, the logging stack, and every future owner of the domain. OpenFormatter encrypts entirely in JavaScript using the browser's Web Crypto API. The passphrase is bound to a local CryptoKey handle and the ciphertext is rendered in the right-hand panel. Open DevTools → Network and click Encrypt — there is no outbound request.

Need to decrypt or generate keys?

Pair this tool with the rest of OpenFormatter's browser-side security toolkit.

AES Decrypt Hash Generator UUID Generator

Frequently Asked Questions

What encryption does this tool use?

AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode). The key is derived from your passphrase with PBKDF2-HMAC-SHA256 using 250,000 iterations and a fresh 16-byte random salt. A new 12-byte random IV is generated for every message. GCM provides authenticated encryption — any tampering with the ciphertext is detected at decryption time.

Is my passphrase sent to a server?

No. All encryption happens inside your browser through the Web Crypto SubtleCrypto API. The passphrase, plaintext, derived key, and ciphertext exist only in this tab. Open DevTools → Network and click Encrypt — you will see zero outbound requests.

What does the base64 output contain?

The output packs three things: the 16-byte salt (used for PBKDF2 on the receiving end), the 12-byte IV (required by AES-GCM), and the variable-length ciphertext including the GCM authentication tag. Layout is salt || iv || ciphertext, then base64 encoded. To decrypt you need only this one string and the passphrase — no separate IV or salt fields to track.

How strong is a 250,000-iteration PBKDF2?

OWASP currently recommends at least 600,000 iterations for PBKDF2-SHA256, but 250,000 is a reasonable browser default that finishes in well under a second on most devices while still costing an attacker meaningful compute per guess. The real defence against brute force is a long, high-entropy passphrase — 4+ random words from a wordlist, or a 16+ character random string. PBKDF2 buys you orders of magnitude, not infinity.

What happens if I forget the passphrase?

The ciphertext is unrecoverable. There is no backdoor, no recovery key, and no way for OpenFormatter to help — we never see the passphrase or the data. Store the passphrase in a password manager (1Password, Bitwarden, KeePass) before you encrypt anything important.

Can I encrypt files with this tool?

This page is text-only. AES-GCM works equally well on binary data — you can extend the same code to read a File via FileReader.readAsArrayBuffer and pass the ArrayBuffer to crypto.subtle.encrypt. The output and decrypt format would be identical except larger. We may add a file mode in the future.

Why AES-GCM and not AES-CBC?

AES-CBC provides confidentiality but no integrity — an attacker who can flip ciphertext bits can manipulate plaintext bits in predictable ways (padding-oracle attacks are the classic example). AES-GCM is an AEAD mode: it returns ciphertext with a built-in authentication tag, so any modification causes decryption to fail loudly rather than silently produce garbage. For new code, use GCM (or ChaCha20-Poly1305).

Is the output the same every time?

No, and that is by design. Both the salt and the IV are randomised per message, so encrypting the same plaintext with the same passphrase produces a completely different base64 string each time. This prevents an observer from learning that two ciphertexts share the same plaintext, and is required for AES-GCM security.