About AES Encrypt / Decrypt

AES-256-GCM encryption with authenticated ciphertext (iv:tag:body). Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

• Encrypt a small config value before storing in version control
• Verify an encryption library's output against a reference
• Teach GCM mode using controlled inputs and outputs
• Spot-check a coworker's AES implementation for correctness

Tips

• Uses AES-256-GCM — authenticated encryption
• Output format: iv:tag:ciphertext (all base64)
• Any key length is accepted; it's SHA-256'd to 32 bytes internally

Fun Facts

• AES (Rijndael) was selected by NIST in 2001 after a 5-year public competition. It's approved for TOP SECRET data in US government systems.
• AES operates on 128-bit blocks regardless of key size. The key size (128, 192, or 256 bits) only changes the number of encryption rounds (10, 12, or 14).
• Intel added dedicated AES-NI hardware instructions in 2010, making AES encryption essentially 'free' on modern CPUs — about 1 cycle per byte.

FAQ

Is AES-256-GCM secure?

Yes — GCM mode provides both encryption and authentication. A tampered ciphertext fails to decrypt, not just decrypts wrong. The NIST-recommended authenticated cipher.

What's the IV and tag?

IV (initialization vector) is a random 96-bit nonce — must be unique per encryption. Tag (128-bit) is the authentication. Output format: iv:tag:ciphertext, all base64.

Can I reuse an IV?

Never — reusing an IV with the same key breaks GCM's security (key recovery becomes possible). The tool generates a fresh IV per encryption.

Is this safe for production?

The algorithm yes. The tool is for debugging/teaching. For production encryption, use your language's vetted library (libsodium, Node crypto).