liminfo

Text Encryption Tool

Free web tool: Text Encryption Tool

Uses AES-256-GCM encryption via Web Crypto API. Key derived with PBKDF2 (100,000 iterations, SHA-256). All processing is done locally in your browser.

About Text Encryption Tool

The Text Encryption Tool encrypts and decrypts text using AES-256-GCM, the gold-standard symmetric encryption algorithm used in TLS, Signal, and countless other security-critical systems. You enter plaintext (to encrypt) or a Base64 ciphertext string (to decrypt), provide a password, and click the button. The tool uses the browser's native Web Crypto API — specifically crypto.subtle.encrypt and crypto.subtle.decrypt — so no external cryptographic library is needed and no data is ever sent to a server.

This tool is designed for developers who need to encrypt small sensitive strings before storing them in logs, config files, or databases; for users who want to share a sensitive note securely with someone who knows a shared password; and for security learners who want to see how AES-GCM encryption works in practice. The output is a Base64-encoded string that can be pasted into emails, documents, or code comments, and decrypted later by anyone with the correct password.

Technically, the encryption process works as follows: a 16-byte random salt and a 12-byte random initialization vector (IV) are generated using crypto.getRandomValues. A 256-bit AES-GCM key is then derived from the password using PBKDF2 with SHA-256 and 100,000 iterations — a strong work factor that makes brute-force password guessing slow. The salt, IV, and GCM ciphertext are concatenated into a single byte array and Base64-encoded as the final output. Decryption reverses this: it extracts the salt (bytes 0–15) and IV (bytes 16–27) from the decoded data, re-derives the key with PBKDF2, and decrypts the remainder (bytes 28+) using AES-GCM. Authentication is built into GCM mode — if the password is wrong or the ciphertext is tampered with, decryption fails with a clear error.

Key Features

  • AES-256-GCM encryption — provides both confidentiality and authenticated integrity
  • PBKDF2 key derivation with 100,000 SHA-256 iterations and a random 16-byte salt
  • Random 12-byte IV generated per encryption — no two ciphertexts are the same even for identical input
  • GCM authentication tag detects tampering or wrong passwords and shows a clear error
  • Encrypt and Decrypt modes in a single interface with Base64 ciphertext format
  • One-click copy of encrypted output to clipboard
  • 100% client-side via Web Crypto API — no server calls, no data uploaded
  • No sign-up, no download, completely free with no usage limits

Frequently Asked Questions

What encryption algorithm does this tool use?

The tool uses AES-256-GCM (Advanced Encryption Standard with a 256-bit key in Galois/Counter Mode). GCM is an authenticated encryption mode that provides both confidentiality (data cannot be read without the key) and integrity authentication (tampering with the ciphertext is detected). It is the same algorithm used in TLS 1.3, Signal, and WhatsApp.

How is the encryption key derived from my password?

The tool uses PBKDF2 (Password-Based Key Derivation Function 2) with SHA-256 as the pseudorandom function, 100,000 iterations, and a randomly generated 16-byte salt. The high iteration count makes brute-force attacks slow — each password guess requires 100,000 SHA-256 computations. The random salt ensures that the same password produces a different key each time, preventing rainbow table attacks.

What is the format of the encrypted output?

The output is a Base64-encoded string containing three components concatenated together: a 16-byte random salt, a 12-byte random IV (initialization vector), and the AES-GCM ciphertext plus authentication tag. When decrypting, the tool extracts these components by position — salt at bytes 0–15, IV at bytes 16–27, and ciphertext starting at byte 28.

Why does decryption fail?

Decryption fails for two reasons: (1) the password is incorrect — PBKDF2 will derive a different key, and AES-GCM will fail authentication, or (2) the ciphertext has been corrupted or modified — GCM mode detects any single-bit change in the ciphertext and rejects decryption. The tool shows "Decryption failed. Wrong password or corrupted data." in both cases.

Is AES-256-GCM secure enough for sensitive data?

Yes, AES-256-GCM is considered cryptographically secure and is approved by NIST for protecting sensitive government data. Breaking the encryption requires either knowing the password or performing an infeasible 2^256 brute-force search. With a strong password and 100,000 PBKDF2 iterations, the scheme is practical for protecting sensitive text strings.

What is the difference between encryption and encoding?

Encryption transforms data using a secret key so only authorized parties can read it. Encoding (like Base64) is a reversible transformation with no secret — it just changes the representation. This tool encrypts with AES-GCM and then Base64-encodes the output for convenient text handling. The Base64 part provides no security; security comes entirely from the AES-GCM encryption with your password.

Can I use this to encrypt files?

The tool is designed for text strings, not binary files. You can encrypt any text content including JSON, code snippets, passwords, or private notes. For binary file encryption, you would need a tool that handles file input and binary output — this tool operates on text with Base64 as the intermediary format.

Does the tool store my password or the encrypted text?

No. The password and all text fields exist only in your browser's memory (React component state) while the page is open. When you close the tab or navigate away, everything is gone. The Web Crypto API is called locally and no network requests are made. Your password never leaves your device.