Why does AES encryption need a secret key?

AES is a symmetric algorithm, so the same key is used for both encryption and decryption. The encrypted data can only be recovered with the exact matching key.

What is the difference between CBC, CTR, and GCM?

CBC is a classic block mode, CTR works well for parallel and streaming workflows, and GCM adds authentication so it protects confidentiality and integrity at the same time.

Why must the IV or nonce be unique?

Reusing an IV or nonce weakens encryption security and can be catastrophic in CTR and GCM mode, so each encryption run should use a fresh random value.

When should I choose Base64 or Hex output?

Base64 is more compact and better for APIs or JSON, while Hex is larger but easier to inspect byte by byte during debugging.

// cryptographic tool v2.0

AES Cipher

CLIENT-SIDE ONLY

WEB CRYPTO API

⚙

Algorithm Configuration

Mode

Key Size

Padding

Output Encoding

🔑

Key & IV Material

Secret Key

Requires 32 hex characters (256-bit)

IV / Nonce

The hex IV needs 32 characters (CBC/CTR=32, GCM=24)

⚠ This nonce has already been used in GCM mode. Reusing a nonce severely breaks encryption security, so please generate a fresh one.

⬇

Release to load the file

PLAINTEXT / INPUT

CIPHERTEXT / OUTPUT

Encryption complete - Raw binary bytes ready for the decryption tool

Export this configuration (Mode / Key Size / Key / IV) so it can be loaded directly in the decryption tool

Need decryption?

Ready - configure the key and click Encrypt

Algorithm

AES

CBC Mode

Key Strength

256

bits

Security Level

HIGH

Military Grade

Processed

bytes this session

🔑

Why do you need a secret key?

AES is a symmetric cipher, so the same secret key is used for both encryption and decryption. Key length defines the protection level: 128-bit covers most everyday use cases, 192-bit is chosen for higher assurance environments, and 256-bit is the strongest common option used in finance and other security-sensitive systems.

The secret key must remain confidential. Anyone who gets the key can decrypt the data, so avoid sharing it over unsafe channels and prefer randomly generated keys instead of manual input.

🎲

Why is an IV / nonce required?

The IV (Initialization Vector) or nonce makes sure that encrypting the same content with the same key still produces different ciphertext each time, which helps prevent pattern-based attacks.

CBC and CTR use a 16-byte IV (32 hex characters), while GCM uses a 12-byte nonce (24 hex characters). The IV does not need to stay secret, but it must be fresh for every encryption run and should never be reused.

⚙️

What does the encryption mode do?

AES works on fixed 16-byte blocks, and the selected mode controls how those blocks are chained together for data of any length.

CBC (Cipher Block Chaining): a classic and widely used mode for files and communication workflows.

CTR (Counter): turns AES into a stream-like mode that can be processed in parallel, making it well suited for large files.

GCM (Galois/Counter Mode): adds authentication on top of CTR, so it protects both confidentiality and integrity and is usually the best modern default.

📏

How should you choose the key size?

Longer keys raise the cost of brute-force attacks dramatically, although they also add a small performance overhead.

128-bit: strong enough for the vast majority of workloads and usually the fastest option.

192-bit: chosen when a higher security margin is required.

256-bit: the strongest standard option and a solid default when performance constraints are not critical.

📦

What does padding mean?

AES encrypts 16-byte blocks. If the input length is not a multiple of 16, the last block must be padded before encryption.

PKCS#7: fills the final block with bytes whose value equals the number of padding bytes, which makes removal precise during decryption.

Zero Padding: fills the remaining bytes with 00. It is simple, but ambiguous when the original data can naturally end with zero bytes.

🔠

What is output encoding?

Raw AES ciphertext is binary data, so it is often converted into a printable text format before transport or storage.

Base64: compact and well suited to APIs, JSON, and copy-paste workflows.

Hex: larger in size, but easier to inspect byte by byte during debugging and logging.