AES Encryption

Encrypt and decrypt text using AES with a passphrase, entirely in your browser.

// status READY
// transport localhost · 0 bytes uploaded
// id 0x1B87
aes-encryption.sh 0x1B87
# aes-encryption.md

AES in the Real World — and Where Browser-Based Encryption Fits

AES (Advanced Encryption Standard) is the symmetric block cipher that underpins almost all encrypted data on Earth: HTTPS connections, BitLocker and FileVault disk encryption, WPA2/WPA3 WiFi, iMessage, Signal, and every major cloud storage provider. It was selected by NIST in 2001 after a five-year international competition, replacing DES which had a 56-bit key space already exhausted by brute force in 1999. AES-256 has a 2256 key space — larger than the number of atoms in the observable universe — making exhaustive key search physically impossible with any foreseeable technology.

Understanding where browser-based AES fits in this landscape requires understanding the full threat model, not just the algorithm. AES itself is not broken and is not the weak point in any realistic attack. The weak points are almost always: key management (is the passphrase strong enough and kept secret?), implementation bugs (wrong mode, no IV, padding oracle), and operational security (is the encrypted output shared over a channel an attacker can intercept?).

Modes of Operation — Why the Mode Matters as Much as the Key

AES is a block cipher: it encrypts 128-bit (16-byte) blocks. A "mode of operation" defines how to handle data longer than one block and how to prevent patterns from leaking through ciphertext.

ECB (Electronic Codebook) — the naive mode that should never be used. Each 16-byte block is encrypted independently with the same key. Identical plaintext blocks produce identical ciphertext blocks, meaning patterns in the data are visible in the output. The canonical demonstration is the "ECB penguin" — encrypting a bitmap image in ECB mode produces ciphertext that still shows the penguin silhouette. This tool does not use ECB.

CBC (Cipher Block Chaining) — each block is XORed with the previous ciphertext block before encryption, breaking the pattern problem. Requires a random Initialization Vector (IV) for the first block. CBC is well-understood but is vulnerable to padding oracle attacks if not implemented carefully — an adversary who can submit arbitrary ciphertexts and observe error messages can recover the plaintext byte by byte. This tool uses CBC, which is appropriate for one-shot encrypt/decrypt without an oracle.

GCM (Galois/Counter Mode) — the modern standard. GCM combines encryption with authentication (AEAD — Authenticated Encryption with Associated Data), producing both ciphertext and an authentication tag. The tag detects any tampering with the ciphertext before decryption occurs, which eliminates padding oracle attacks and ensures the integrity of the output. AES-256-GCM is what you want for any production system. The Web Crypto API (built into modern browsers) supports AES-GCM natively.

The Passphrase-to-Key Derivation Problem

AES requires a 256-bit (32-byte) key — not a human-readable passphrase. The process of converting a passphrase into a key is called Key Derivation, and doing it poorly is a common implementation flaw. A naive approach — hashing the passphrase with SHA-256 once — is fast, which means it is easy to brute-force: a GPU can try billions of candidate passphrases per second.

The correct approach is a Password-Based Key Derivation Function (PBKDF): PBKDF2, bcrypt, scrypt, or Argon2. This tool uses PBKDF2 with a random salt, which significantly increases the cost of attacking a weak passphrase. The salt is prepended to the ciphertext output — this is not a security weakness, since the salt's purpose is to prevent precomputation, not to be secret.

How to Use This Tool

  1. Encrypt: enter the plaintext and a passphrase. The output is a Base64-encoded string containing the salt, IV, and ciphertext — everything needed to decrypt later.
  2. Decrypt: paste the encrypted output and the same passphrase. Wrong passphrase produces garbled output or an error, not a helpful error message — by design.
  3. Use the password generator on this site to create a high-entropy passphrase.
  4. Share the passphrase through a different channel than the ciphertext.

## man aes-encryption

?> What AES mode and key derivation does this tool use?

AES-256-CBC with a PBKDF2-derived key (SHA-256 HMAC, 1,000 iterations) and a random 64-bit salt generated per encryption. The salt and IV are prepended to the output and included in decryption automatically. This is crypto-js's standard OpenSSL-compatible format.

?> Why is the encrypted output different every time even with the same input and passphrase?

A fresh random salt and IV are generated on every encryption call. The IV ensures that encrypting the same plaintext twice produces different ciphertext — a required property called IND-CPA security. An attacker who observes multiple encryptions of related messages gains no information about the relationship between them.

?> Is this suitable for encrypting sensitive files or medical records?

No. For high-stakes data, use a professionally audited tool with proper key management: age (age-encryption.org) for files, GPG for emails, or a hardware security module for keys. Browser-based encryption with a passphrase is appropriate for low-stakes personal use — encrypting notes before cloud storage, obfuscating a string in transit — where the threat model is casual snooping rather than targeted attack.

?> What is a padding oracle attack and should I be worried?

A padding oracle attack exploits a system that responds differently to valid vs. invalid CBC padding — the difference in error response leaks information that allows decrypting the ciphertext without the key. This attack requires submitting many modified ciphertexts and observing the responses. This tool provides no such oracle — it is a one-shot encrypt/decrypt with no error differentiation exposed to external parties. The attack is a concern for network APIs and web services, not for standalone browser tools.