ToolHub

Text Encrypt and Decrypt

Encrypt text with a password

This uses real AES-GCM encryption with a key derived from your password via PBKDF2 (SHA-256, 100000 iterations). The strength of your encryption depends on the strength of your password, so pick a long, unique one. Everything runs in your browser and nothing is uploaded.

Overview

Encrypt and decrypt text with a password

Sometimes you need to protect a short piece of text: a note, an API key, a recovery phrase, or a message you are about to send through an insecure channel. This tool encrypts that text with a password so that only someone who knows the password can read it back.

ToolHub Text Encrypt and Decrypt uses real, industry-standard cryptography built into your browser: AES-GCM for the encryption and PBKDF2 to turn your password into a strong key. The output is a single Base64 string you can paste anywhere. Everything happens locally, and nothing is ever uploaded.

Step-by-step

How to encrypt and decrypt text

  1. 1

    Pick a mode

    Encrypt turns your plain text into a protected Base64 string. Decrypt reverses the process, turning that string back into readable text.
  2. 2

    Enter your text and password

    Paste the message (or the encrypted Base64) into the input and type the password. Use the exact same password to decrypt that you used to encrypt.
  3. 3

    Copy the result

    The output updates as you type. Click copy to grab the encrypted string or the decrypted message.
  4. 4

    Share safely

    Send the encrypted Base64 over any channel, and share the password through a separate, trusted one. Never send both together.

Background

How the encryption works

Good encryption is not about hiding the algorithm, it is about using a strong, well-tested one correctly. This tool follows current best practice with primitives from the Web Crypto API.

Key derivation with PBKDF2

Passwords are not used as keys directly. Instead, your password is run through PBKDF2 with SHA-256, a random 16-byte salt, and 100000 iterations to derive a 256-bit key. The salt makes every encryption unique, and the iterations make brute-force guessing slow.

Encryption with AES-GCM

The derived key encrypts your text with AES-GCM, an authenticated cipher. A fresh random 12-byte initialization vector (IV) is generated each time. AES-GCM also produces an authentication tag, so any tampering with the ciphertext is detected on decryption.

The output format

The final string is the Base64 of salt + iv + ciphertext concatenated together. Because the salt and IV travel with the ciphertext, decryption only needs the password and this one string. They are not secret, only the password is.

Use cases

When to use password encryption

Sharing secrets in chat

Encrypt a credential before pasting it into Slack or email, then share the password by phone or in person.

Personal notes

Lock a private note with a password before saving it somewhere others might see it.

Backups and recovery phrases

Protect seed phrases or recovery codes with a password before storing them in a file or note app.

Sensitive form data

Encrypt a value locally before pasting it into a document or ticket that will be read by many people.

Teaching cryptography

Demonstrate AES-GCM, salts, and IVs with a real, working example instead of pseudocode.

Air-gapped transfers

Encrypt on one device and decrypt on another, since the whole thing works offline in the browser.

Tips and best practices

  • Your password is the only secret. A short or common password can be guessed, so use a long, unique passphrase.
  • Never send the encrypted text and the password through the same channel.
  • There is no password recovery. If you forget the password, the text cannot be decrypted by anyone, including us.
  • The same input encrypted twice produces different output because the salt and IV are random. That is expected and correct.
  • For ongoing encrypted messaging, use a dedicated end-to-end tool. This is best for one-off snippets.

Common questions

What happens if I enter the wrong password?

Decryption fails and you see a clear message asking you to check your password. AES-GCM verifies an authentication tag, so a wrong password or any corrupted input is detected rather than producing garbage text.

Is this actually secure?

The cryptography is sound: AES-256-GCM with PBKDF2 key derivation is a standard, respected combination. The real limit is your password. Strong encryption with a weak password is still weak, so choose a passphrase that is hard to guess.

Why does the same text give different output each time?

A random salt and IV are generated for every encryption. This is intentional and important: it ensures that identical messages do not produce identical ciphertext, which would leak information.

Can I decrypt this somewhere else?

Any tool that implements the same scheme can decrypt it: Base64-decode, split off the first 16 bytes as the salt and the next 12 as the IV, derive the key with PBKDF2-SHA-256 at 100000 iterations, then run AES-GCM decrypt with the remaining bytes.

100% private

Privacy and security

All encryption and decryption run locally in your browser using window.crypto.subtle, the same vetted cryptography browsers use for HTTPS. Your text and password never leave your device and are never sent over the network.

Related tools

Password Generator

Strong, random passwords in one click

Hash Generator

MD5, SHA-1, SHA-256, SHA-512 hashes

HMAC Generator

Generate HMAC signatures

Base64 Encoder/Decoder

Encode and decode Base64 text

Frequently asked questions

Is this real encryption?

Yes. It uses AES-GCM with a key derived from your password using PBKDF2, the same standards used in secure software.

What if I forget the password?

There is no recovery. Without the exact password the text cannot be decrypted, so keep it safe.

Is anything uploaded?

No. Encryption and decryption happen entirely in your browser. Your text and password never leave your device.