AES Encrypt & Decrypt

AES (Advanced Encryption Standard, FIPS 197) is the symmetric block cipher used by virtually every modern protocol that encrypts data in transit or at rest. This tool encrypts or decrypts arbitrary input using AES-GCM (recommended, authenticated) or AES-CBC (legacy, unauthenticated) at 128, 192, or 256-bit key sizes — all via the browser's Web Crypto API. Keys, IVs, and plaintext never leave your device.

Use AES-GCM for new designs: it's authenticated, parallelisable, and matches what TLS 1.3 uses. AES-CBC is included for compatibility with legacy systems and CTF challenges, but never use it without an HMAC for authentication.

Algorithm

Key size

Key (32 bytes / 256 bits)

IV / Nonce (12 bytes)

GCM nonces must be unique per key. Reusing a nonce with the same key is catastrophic.

Additional Authenticated Data (optional)

AAD is bound to the ciphertext via the auth tag. Decryption fails if it doesn't match.

Plaintext input

Notes for safe use

Don't reuse nonces

Reusing a GCM nonce with the same key leaks the XOR of the plaintexts and forfeits authentication entirely. Always generate a fresh random nonce per message — the "Random" button does this for you.

Keys aren't passwords

AES keys must be uniformly random bytes. To derive a key from a password, use a KDF like Argon2 or PBKDF2 first — the Hash Generator handles that.

No padding choices

The Web Crypto API uses PKCS#7 padding for CBC by default; GCM doesn't need padding. If you're interoperating with a system using a different padding scheme (zero-padding, ANSI X.923), you'll need to handle it outside this tool.