Text Encrypt / Decrypt
AES-256-GCM text encryption with a passphrase
About the Text Encrypt / Decrypt
When you need to share a password, an API key, or a private note through an untrusted channel — a public Slack, an email thread, a shared document — symmetric encryption gives the recipient the ability to decode it without exposing the plaintext along the way. This tool implements AES-256-GCM, a mode of the Advanced Encryption Standard that provides both confidentiality and authentication, meaning a tampered ciphertext will fail to decrypt rather than produce garbled output.
The tool uses the native Web Crypto API built into every modern browser and never sends any data to a server. The passphrase is processed through PBKDF2 with 100,000 iterations of SHA-256 to derive a 256-bit encryption key, which slows down brute-force attacks on weak passphrases. The output is Base64-encoded so it can be safely copied into emails, JSON fields, or any text channel. Use cases include encrypting credentials before committing them to a repository, sending private notes over unencrypted channels, and creating encrypted backups of sensitive strings.
How to Use the Text Encrypt / Decrypt
- Select "Encrypt" or "Decrypt" mode using the toggle at the top.
- In Encrypt mode, paste your plaintext into the input area. In Decrypt mode, paste the Base64 ciphertext you received.
- Enter your passphrase in the passphrase field — use a strong, unique passphrase that both parties know. Click the eye icon to reveal and confirm what you typed.
- Click the action button. The result appears in the output area ready to copy. Use "Swap to Input" to move the output back for a second operation.
Why Use ToolForge’s Text Encrypt / Decrypt
- AES-256-GCM is a military-grade authenticated encryption mode. Unlike unauthenticated modes like AES-CBC, GCM detects any modification of the ciphertext and refuses to decrypt, protecting against padding-oracle and bit-flipping attacks.
- PBKDF2 with 100,000 iterations imposes a deliberate computational cost on any attacker trying to guess the passphrase by brute force, buying significant time even if the ciphertext is stolen.
- Everything runs in the browser. The passphrase, the plaintext, and the ciphertext are never transmitted to any server. You can verify this by loading the page, disconnecting from the internet, and encrypting a message — it still works.
- A random 16-byte salt and 12-byte IV are generated for every encryption operation, so encrypting the same message with the same passphrase twice produces different ciphertexts, preventing pattern analysis.
Frequently Asked Questions
What happens if I forget my passphrase?
The data is permanently unrecoverable. AES-GCM is a symmetric cipher — there is no master key, no recovery email, and no way to derive the passphrase from the ciphertext. Write the passphrase down in a secure location (a password manager, for example) before you share the ciphertext.
Is AES-256-GCM safe for sensitive data?
Yes. AES-256-GCM is approved by the U.S. National Institute of Standards and Technology (NIST) and is used in TLS 1.3, SSH, and encrypted messaging protocols worldwide. The security depends on using a strong, random-looking passphrase — the algorithm itself has no known practical weaknesses.
What is PBKDF2 and why does it matter?
PBKDF2 (Password-Based Key Derivation Function 2) converts a human-memorable passphrase into a cryptographic key by running it through a hash function many thousands of times. This means an attacker trying every possible passphrase must spend the same computational cost per guess, making brute-force attacks against weak passphrases orders of magnitude slower.
Can I store the Base64 ciphertext anywhere?
Yes — the ciphertext is designed for text channels. It contains no information about the plaintext without the passphrase, so it is safe to publish publicly. However, ensure the passphrase is shared through a completely separate, secure channel to avoid both being intercepted at once.
