AES Encrypt / Decrypt
Paste text and a passphrase to run a quick AES encryption or decryption with the selected PHP OpenSSL cipher. AES is the symmetric block cipher standardized by NIST in FIPS 197 and used in many TLS, WPA2, VPN and disk-encryption systems, but this page is a convenience tool for low-risk text, not an audited secret vault. For sensitive files or long-lived secrets, use an offline tool such as age, GnuPG or 7-Zip.
How to encrypt text with AES
-
1
Choose the OpenSSL cipher
The current options include CBC, CTR and GCM variants. CBC and CTR output is not authenticated, and this tool does not store or verify a GCM authentication tag.
-
2
Enter a passphrase
The passphrase is hashed once with SHA-256 to form the AES key. There is no PBKDF2, salt, Argon2 or work factor, so use a long random passphrase.
-
3
Paste low-risk text
This is a server-side Livewire/PHP OpenSSL utility. Do not paste passwords, production keys, private documents or secrets you would not send to this site.
-
4
Copy the Base64 result
Encryption creates a random IV, prepends it to the raw ciphertext, then Base64-encodes the combined bytes. Decryption needs the same cipher and passphrase.
What this tool actually outputs
This implementation uses PHP OpenSSL. For encryption it hashes the passphrase with SHA-256, generates a random IV of the length required by the selected cipher, encrypts the text, then returns:
Base64(IV || ciphertext)
The output does not include a salt, PBKDF2 parameters, an HMAC or a GCM authentication tag. It is not compatible with formats produced by Web Crypto, age, GnuPG, OpenSSL command-line recipes or 7-Zip.
AES options in context
AES has a fixed 128-bit (16-byte) block size and standard key sizes of 128, 192 and 256 bits. The important security difference here is not only key size; it is whether the encrypted message is authenticated.
| Cipher option | What to know in this tool |
|---|---|
| AES-128-CBC / AES-192-CBC / AES-256-CBC | Common block mode with a random IV and PKCS#7 padding. It needs a separate MAC such as HMAC-SHA-256 to detect tampering. |
| AES-256-CTR | Turns AES into a stream-like mode. It also needs separate authentication and must never reuse the same IV/counter with the same key. |
| AES-128-GCM / AES-256-GCM | GCM is normally an AEAD mode, but only when the authentication tag is stored and checked. This tool’s output does not include that tag, so do not rely on it for authenticated encryption. |
Security reminders
OWASP’s cryptographic storage guidance recommends authenticated encryption where possible, or encryption plus a separate MAC. Keep that in mind with this utility:
- This is symmetric encryption - the same passphrase decrypts. Share it through a different channel than the ciphertext.
- Weak passphrases are weak keys here - SHA-256 hashing is fast and unsalted, so attackers can try guesses quickly if they get the output.
- CBC and CTR need authentication - without HMAC or another MAC, attackers may be able to alter ciphertext without detection.
- Do not reuse an IV or nonce with the same key - the tool generates a fresh random IV when encrypting, but pasted external data must follow the same rule.
- Use audited file tools for real secrets - age, GnuPG and 7-Zip handle file formats, metadata and authentication more carefully.
Frequently Asked Questions
The current component hashes the passphrase with SHA-256 and uses the resulting bytes as key material for OpenSSL. It does not use PBKDF2, salt, scrypt or Argon2, so a short or reused passphrase is risky.
No. CBC and CTR need a separate MAC such as HMAC-SHA-256, and although GCM normally provides AEAD authentication, this tool does not store or verify the GCM tag in its Base64 output.
On the website server when the Livewire action runs PHP OpenSSL. This is not a browser-only Web Crypto tool, so do not paste high-value secrets, private keys or sensitive documents.
The Base64 result contains the random IV followed by the raw ciphertext. CBC padding can add bytes, and Base64 encoding makes binary data about one third larger. There is no salt or authentication tag in the stored format.
This tool only handles text input and is best kept for low-risk snippets. For files or important secrets, use an audited offline encryption utility such as age, GnuPG, or 7-Zip.
Related Tools
A1Z26 Cipher Encoder
Encode text using the A1Z26 cipher (A=1, B=2, ... Z=26) or decode a number sequence back to letters, with customizable separator.
Atbash Cipher Encoder
Encode or decode text with the Atbash cipher, a Hebrew substitution that maps A-Z to Z-A. Same operation encrypts and decrypts.
What Is My IP
Instantly see the public IP address your browser presents to the internet, whether it is IPv4 or IPv6, and the country it maps to. One-click copy, no login, nothing stored.
IP Address Lookup
Look up any public IPv4 or IPv6 address for approximate country, region, city, coordinates, ISP, ASN, organization and timezone.
Word Counter
Count words, characters, sentences and paragraphs with reading time, speaking time, keyword density and a Flesch readability score for essays, posts, captions and meta descriptions.
Speed Test
Run a fast, free, browser-based internet speed test. Measure your download speed in Mbps plus round-trip latency and jitter, and see whether your connection is ready for 4K streaming, gaming and video calls — no app, no signup.