Alpha DevTools logoAlpha DevTools
All ToolsBy Technology
Search tools…⌘K
ToolsSecurityAES Encrypt / Decrypt

AES Encrypt / Decrypt

Security

Encrypt and decrypt text in your browser using AES-128, AES-192, or AES-256 with CBC, CTR, or GCM modes. Enter a custom key and IV for full control.

All encryption and decryption happens entirely in your browser via AES-256-GCM — passwords and plaintext never leave your device.
Password
Plaintext
Ciphertext (Base64)

Related Tools

UUID GeneratorCrypto Hash ToolsPassword ToolsJWT Decoder

About AES Encrypt / Decrypt

The AES Encrypt & Decrypt tool lets you perform symmetric encryption and decryption entirely within your browser using the Web Crypto API — the same battle-tested cryptographic primitive used by TLS, full-disk encryption, and secure messaging apps. Select a key length (128, 192, or 256 bits), an operation mode (CBC for compatibility, CTR for streaming, or GCM for authenticated encryption), then supply your own hex-encoded key and IV or generate them randomly. Ciphertext is output as base64 for easy transport, and authenticated GCM mode also exposes the authentication tag so you can detect tampering. No data is ever sent to a server.

Features

  • ✓Supports AES-128, AES-192, and AES-256 key sizes
  • ✓Three operation modes: CBC (PKCS#7 padded), CTR (stream), and GCM (authenticated)
  • ✓Accepts custom hex-encoded keys and initialisation vectors (IVs)
  • ✓Secure random key and IV generation with a single click
  • ✓Plaintext input and ciphertext output in base64 for safe text transport
  • ✓GCM mode exposes and validates the 128-bit authentication tag
  • ✓Separate Encrypt and Decrypt flows — paste ciphertext to reverse the operation
  • ✓PKCS#7 padding handled automatically in CBC mode
  • ✓Runs entirely via the browser-native Web Crypto API — no third-party crypto libraries
  • ✓100 % client-side — sensitive plaintext never leaves your machine

Common Use Cases

  • Encrypting sensitive configuration snippets before storing them in plaintext notes
  • Teaching AES operation modes and the importance of IVs in security courses
  • Verifying that an AES implementation produces the correct ciphertext against known test vectors
  • Prototyping a client-side encryption scheme before integrating it into an application
  • Encrypting a small secret for safe transmission over an insecure channel
  • Debugging interoperability issues between AES implementations in different languages
  • Demonstrating authenticated encryption (AES-GCM) versus unauthenticated modes (CBC, CTR)

Frequently Asked Questions

QWhich AES mode should I use?

Use AES-GCM whenever possible. It provides both confidentiality and integrity — the authentication tag detects any modification to the ciphertext. AES-CBC is widely supported but requires a separate MAC (e.g., HMAC) to achieve authenticated encryption. AES-CTR turns AES into a stream cipher and is efficient but also lacks built-in authentication.

QWhat is an IV and why does it matter?

The Initialisation Vector (IV) is a random value that ensures identical plaintexts produce different ciphertexts each time. In CBC and CTR modes the IV must be 16 bytes (128 bits); in GCM mode it is typically 12 bytes (96 bits). Never reuse an IV with the same key — particularly in CTR and GCM modes, IV reuse is catastrophic and can expose the key stream or allow forgery.

QHow do I choose the right key size?

AES-256 offers the highest security margin and is recommended for sensitive data. AES-128 is still considered secure against classical attacks and is slightly faster. AES-192 is rarely used and offers a negligible practical advantage over AES-128. For most applications AES-256 is the right default.

QIs the output base64 or hex?

Ciphertext is encoded as base64 by default, which is compact and safe to include in JSON, URLs, or email. The key and IV are expressed as hex strings because they are binary values that benefit from explicit byte-level readability during debugging.

QCan I decrypt ciphertext produced by OpenSSL?

Yes, provided you use the same key, IV, and mode. Note that `openssl enc -aes-256-cbc` derives the key and IV from a password using EVP_BytesToKey with MD5, which is not the same as supplying a raw key. Use the raw key/IV flags (`-K` and `-iv`) in OpenSSL to match this tool's behaviour.

QWhy does GCM decryption fail with 'authentication error'?

GCM decryption verifies the authentication tag before returning plaintext. Any modification to the ciphertext, tag, or associated data will cause this error. Ensure the ciphertext and tag bytes are exactly what was produced during encryption and have not been truncated or modified.

See Also

  • Crypto Hash Generatorrelated
  • HMAC Generatorrelated
  • RSA Key Generatorrelated
  • Bcrypt Generatorrelated
  • CRC32 Generatorrelated
189+ tools·and growing
100% private·nothing uploaded
Zero signup·open instantly
Always free·no paywalls ever
Alpha DevTools logoAlpha DevTools

Fast, free developer utilities for daily tasks. No signup required. Everything runs in your browser.

GitHubTwitter

Categories

  • Formatters
  • Converters
  • Security
  • Encoders & Decoders
  • UI Tools
  • Diagrams
  • Text & String
  • All categories

Technologies

  • JSON
  • YAML
  • CSV
  • XML
  • SQL
  • HTML
  • CSS
  • All technologies

Popular Tools

  • JSON Formatter
  • UUID Generator
  • JWT Decoder
  • Regex Tester
  • SQL Formatter
  • YAML Formatter

Platform

  • Home
  • All Tools
  • By Technology
  • Licenses
  • Contact

© 2026 Alpha DevTools — All rights reserved.

189+ tools · 14 categories · Free forever·Open-source licenses