AES Encryptor

Options

Mode

GCM provides authenticity via an auth tag; CBC/CTR require integrity checks elsewhere.

Key

PBKDF2 with SHA-256 and the above salt/iterations derives a 256-bit AES key.

IV / Nonce

Embed IV prefix in output

Recommended 12-byte IV for GCM. Enter hex, or click “Generate”.

AAD (optional)

If set, the same AAD is required for decryption.

Plaintext

About the AES Encryptor

Encrypt and decrypt text in your browser using AES-GCM, AES-CBC, or AES-CTR. Generate a random IV, derive keys from a password (PBKDF2), or paste a raw key. Outputs can be Base64 or Hex, with an optional IV prefix.

Quick Guide

Mode: Prefer GCM for authenticated encryption (integrity + confidentiality).
Key: Use Password to derive a 256-bit key (PBKDF2+SHA-256), or Raw key (16/24/32 bytes).
IV: GCM → 12 bytes; CBC/CTR → 16 bytes. You can embed the IV in the ciphertext output.
AAD (GCM): Extra data bound to the ciphertext—must match at decrypt time.
CTR length: Counter bits (default 64). The IV is used as the counter block.

Payload Format

When Embed IV prefix is enabled, the output is [IV || CIPHERTEXT(+TAG)] encoded as Base64/Hex. For GCM, the auth tag is part of the Web Crypto output buffer.

Security Notes

Never reuse the same (key, IV) pair. Generating a fresh IV for each encryption is critical.
GCM protects integrity; CBC/CTR do not. Add an HMAC if you must use CBC/CTR.
Password-derived keys are only as strong as the password and iteration count.

Lookup

Encode & Decode

Conversion

Calculator

Generators

Data Tools

Text Processing

Media

Development

Other