Text Encryption / Decryption

This tool provides military-grade text encryption using the same cryptographic primitives that protect classified government communications, banking transactions, and SecureBin's own encrypted paste system. AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode) is the gold standard for authenticated symmetric encryption, recommended by NIST, NSA, and used in TLS 1.3 which secures the modern internet.

How the Encryption Works

When you click Encrypt, the following cryptographic operations happen entirely in your browser: First, a cryptographically random 16-byte salt is generated using crypto.getRandomValues(). Your password and the salt are fed into PBKDF2 (Password-Based Key Derivation Function 2) with SHA-256 and 310,000 iterations to derive a 256-bit encryption key. A random 12-byte initialization vector (IV) is generated. Your plaintext is then encrypted using AES-256-GCM with the derived key and IV. The salt, IV, and ciphertext (which includes the GCM authentication tag) are concatenated and encoded as Base64 for easy copying and sharing.

PBKDF2 Key Derivation

Passwords alone are not suitable as encryption keys because they have low entropy and predictable patterns. PBKDF2 solves this by repeatedly hashing the password with a unique salt, making brute-force attacks computationally expensive. With 310,000 iterations of SHA-256, deriving a single key takes measurable time even on modern hardware, making dictionary attacks and rainbow table attacks impractical. The random salt ensures that identical passwords produce different keys, preventing precomputation attacks.

Galois/Counter Mode (GCM)

GCM is an authenticated encryption mode that simultaneously provides confidentiality and integrity. Unlike simpler modes like CBC, GCM produces an authentication tag that verifies the ciphertext has not been modified or corrupted. If even a single bit of the encrypted data is changed, decryption will fail with an authentication error rather than producing garbled output. This protects against tampering and ensures you can trust that decrypted data is exactly what was originally encrypted.

The Initialization Vector

The 12-byte (96-bit) IV ensures that encrypting the same plaintext with the same password produces different ciphertext each time. This is critical for security because it prevents attackers from detecting patterns or relationships between encrypted messages. The IV does not need to be secret. It is stored alongside the ciphertext and is required for decryption. GCM specifically requires a 96-bit IV for optimal security and performance.

Password Strength Matters

The security of your encrypted text depends entirely on the strength of your password. A strong password should be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters. Avoid dictionary words, personal information, and common patterns. Consider using a passphrase of four or more random words for maximum security with memorability. Our password generator tool can create strong passwords for you.

Zero-Knowledge Architecture

This tool operates on a zero-knowledge principle: the server has no knowledge of your data or password. All cryptographic operations are performed by the Web Crypto API in your browser, a native browser capability that provides access to hardware-accelerated cryptographic primitives. No data is transmitted over the network at any point during the encryption or decryption process. You can verify this by using the tool with your network connection disabled.

Sharing Encrypted Text

The encrypted Base64 output can be safely shared through any channel, including email, messaging apps, or public forums. Without the correct password, the ciphertext is computationally indistinguishable from random data. Share the password through a different channel than the encrypted text for maximum security. For sharing sensitive data with expiration and view limits, consider using SecureBin's encrypted paste feature which adds additional protections.

Compatibility and Standards

The encryption format used by this tool is straightforward: salt (16 bytes) + IV (12 bytes) + ciphertext + GCM tag, Base64-encoded. This format can be decrypted by any implementation that supports AES-256-GCM and PBKDF2-SHA256, including OpenSSL, Python's cryptography library, Node.js crypto module, and Java's JCE. The choice of standard algorithms ensures long-term compatibility and auditability.