UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

AES Text Encryptor

PBKDF2-hardened AES-GCM encrypt and decrypt.

About AES Text Encryptor

AES Text Encryptor on UtilityKit lets you encrypt and decrypt plain text using AES-256-GCM entirely inside your browser via the Web Crypto API. Enter your message, type a passphrase, and the tool derives a 256-bit key with PBKDF2 (600,000 iterations, SHA-256) before encrypting the text and outputting a Base64-encoded ciphertext you can share over email or Slack. Decryption is the reverse: paste the ciphertext, enter the passphrase, and the plaintext is restored — no server round-trip ever. This tool is designed for learning cryptography concepts, testing encryption flows in development, and low-stakes text protection. For production secrets, use dedicated tools like AWS Secrets Manager, HashiCorp Vault, or GPG. The passphrase, key, and plaintext never leave your device.

Why use AES Text Encryptor

100% Browser-Side

All cryptographic operations run in the Web Crypto API inside your browser. The passphrase, key material, plaintext, and ciphertext never reach any server.

AES-256-GCM

Uses the authenticated encryption mode of AES with 256-bit keys — the same standard used by TLS 1.3, Signal, and most modern encryption libraries.

PBKDF2 Key Derivation

Your passphrase is never used as a key directly. PBKDF2 with 600,000 iterations and SHA-256 derives a strong key, making brute-force attacks significantly slower.

Learn Encryption Concepts

See exactly how IV, salt, key derivation, and authenticated tags work in a real AES-GCM implementation — an interactive reference for developers studying cryptography.

Portable Ciphertext

Output is a self-contained Base64 string encoding the IV, salt, and ciphertext — share it anywhere text is accepted and decrypt it later from any device.

No Registration or Install

Open the tool in any modern browser and start encrypting immediately. No extension, no download, no account, and no dependency on an external encryption service.

How to use AES Text Encryptor

  1. Select the Encrypt tab. Type or paste the plaintext message you want to protect into the input field.
  2. Enter a strong passphrase in the passphrase field. The strength indicator shows how many bits of entropy your passphrase provides — aim for at least 60 bits.
  3. Click Encrypt. The tool derives a 256-bit AES key from your passphrase using PBKDF2 with a random salt, then encrypts the text with AES-256-GCM.
  4. Copy the Base64-encoded ciphertext output. This string contains the encrypted message, the random IV, and the PBKDF2 salt — everything the recipient needs to decrypt, except the passphrase.
  5. To decrypt: switch to the Decrypt tab, paste the ciphertext string, enter the same passphrase, and click Decrypt.
  6. The plaintext is restored and displayed instantly in the output field — no server contact, no data transmission, no logs.

When to use AES Text Encryptor

  • When learning how AES-GCM authenticated encryption works and you want an interactive tool that shows the IV, salt, and ciphertext components.
  • When writing encryption/decryption code in JavaScript or another language and you want a reference implementation to compare ciphertext output against.
  • When you need to send a low-sensitivity message over an insecure channel (public Slack, email) and want a quick passphrase-protected layer on top.
  • When testing that your application's decryption logic correctly handles AES-256-GCM ciphertext produced by the Web Crypto API.
  • When creating sample encrypted payloads for unit tests, API mock fixtures, or developer documentation examples.
  • When prototyping a feature that will involve client-side encryption and you want to validate the UX and payload structure before writing production code.

Examples

Encrypt a short message

Input: Plaintext: "Meet at 5pm — location shared separately", Passphrase: "correct-horse-battery"

Output: Base64 ciphertext: "U2FsdGVkX1..." (self-contained blob with salt + IV + ciphertext + auth tag, ~120 chars for this message length)

Decrypt received ciphertext

Input: Ciphertext: "U2FsdGVkX1...", Passphrase: "correct-horse-battery"

Output: Decrypted: "Meet at 5pm — location shared separately"

Wrong passphrase — authentication failure

Input: Ciphertext: "U2FsdGVkX1...", Passphrase: "wrong-passphrase"

Output: Error: Decryption failed — incorrect passphrase or corrupted ciphertext

Tips

  • Never reuse a passphrase across multiple encrypted messages if they will be shared with different recipients. Each recipient who knows the passphrase can decrypt all messages encrypted with it.
  • Store the ciphertext in one channel and share the passphrase in a separate channel (e.g. ciphertext in email, passphrase via Signal) for a simple two-channel handoff that prevents a single intercept from revealing the plaintext.
  • The Base64 output is self-contained — it embeds the salt and IV alongside the ciphertext. You do not need to store them separately; just keep the entire Base64 string intact.
  • To verify your passphrase before sharing the ciphertext, immediately try decrypting the output in the same session. A successful decryption confirms the passphrase was captured correctly.
  • For longer documents or binary files, this tool is not the right fit — it handles text only. For file encryption, use GPG or the `age` command-line tool, which are designed for arbitrary binary payloads.

Frequently Asked Questions

Is this safe for production secrets?
No. This tool is designed for learning, development testing, and low-stakes text protection. For production secrets — API keys, database credentials, personal data — use dedicated secrets management tools: AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, or GPG/age for file encryption. The encryption itself is cryptographically sound, but the tool lacks the access controls, audit logging, rotation policies, and threat-model scoping that production systems require.
Does any encrypted data get sent to the server?
No. All encryption and decryption operations run entirely in your browser using the Web Crypto API. The passphrase, derived key, plaintext, and ciphertext are never transmitted to UtilityKit's servers or any third party.
What is AES-256-GCM and why is it used?
AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode) is an authenticated encryption algorithm. GCM mode simultaneously encrypts the data and produces an authentication tag that detects any tampering. This means decryption fails loudly if the ciphertext has been modified — unlike older modes like AES-CBC which encrypt but do not authenticate.
What is a PBKDF2 salt and why does the output include it?
A salt is a random value mixed into the key derivation function to ensure that two encryptions of the same message with the same passphrase produce different ciphertexts. The salt must be stored alongside the ciphertext for decryption — so the output Base64 string encodes the salt, IV, auth tag, and ciphertext together in a single portable blob.
What is the IV (Initialization Vector)?
The IV is a random value (12 bytes for AES-GCM) that ensures encrypting the same plaintext twice with the same key produces different ciphertexts. It does not need to be secret and is included in the output ciphertext blob. Reusing an IV with the same key is a serious vulnerability — the tool generates a fresh cryptographically random IV for every encryption.
How strong does my passphrase need to be?
PBKDF2 stretches weak passphrases, but a short or common passphrase is still the weakest link. Aim for at least 12 characters mixing letters, numbers, and symbols, or use a random passphrase of 4+ uncommon words. The passphrase strength indicator shows estimated entropy in bits — 60+ bits is a reasonable target.
Can I decrypt in another language or library?
Yes. The encryption scheme is standard AES-256-GCM with PBKDF2 key derivation. You can replicate decryption in Python (`cryptography` library), Node.js (Web Crypto or `crypto` module), or any language with AES-GCM support, as long as you extract the salt, IV, and ciphertext from the Base64 bundle using the same layout the tool uses.
What happens if I enter the wrong passphrase?
AES-GCM's authentication tag verification will fail and the tool will display a decryption error rather than returning garbled plaintext. This authenticated failure is a feature — it means you know immediately that the passphrase is wrong or the ciphertext has been tampered with.

Explore the category

PGP Encrypt / Decrypt Encrypt, decrypt, generate PGP key pairs, and sign/verify messages in-browser with OpenPGP.js. Paste and Share Share text with a short link, expiry, optional max opens, password, and QR code JSON Escape / Unescape Escape plain text for JSON or decode escaped text Text Shadow Generator Stack up to three readable text shadows and export CSS for headings and hero type. Font Pairing Previewer Preview curated Google Fonts pairings for headings and body text with sample content and adjustable sizes. JSON Formatter Format, validate and minify JSON
How OpenAI Whisper Turns Audio into Text Whisper handles 99 languages, accents, background noise, and code-switching better than anything before it. We unpack the encoder-decoder tr Mar 2026 · 8 min How PGP Encryption Works: Keys, Trust, and Real-World Use PGP (and OpenPGP) has secured email and files since 1991. We explain key pairs, the web of trust, signing vs encrypting, and where PGP still Mar 2026 · 8 min How UTF-8 and Unicode Work: Text Encoding for Developers Every string in your program is ultimately bytes. Understanding how Unicode maps characters to code points and how UTF-8 encodes those to by Jan 2026 · 9 min

Glossary

AES-256-GCM
Advanced Encryption Standard with a 256-bit key operating in Galois/Counter Mode — an authenticated encryption algorithm that both encrypts data and produces a tamper-detection tag.
PBKDF2
Password-Based Key Derivation Function 2 — an algorithm that applies a pseudorandom function (SHA-256) many times (iterations) to a passphrase and salt to produce a strong cryptographic key, slowing down brute-force attacks.
IV (Initialization Vector)
A random value (12 bytes for AES-GCM) used once per encryption to ensure the same plaintext encrypted twice with the same key produces different ciphertext. Must never be reused with the same key.
Salt
A random value mixed into the PBKDF2 key derivation process to ensure that identical passphrases produce different keys for each encryption, preventing rainbow table attacks.
Authentication tag
A short value (16 bytes in AES-128-GCM) appended to GCM ciphertext that cryptographically verifies the ciphertext has not been tampered with. Decryption fails if the tag does not match.
Web Crypto API
A browser-native JavaScript API (`window.crypto.subtle`) providing cryptographic primitives — key generation, encryption, hashing, signatures — without any third-party library, available in all modern browsers.