What ciphertext formats are supported here?

This page supports Base64 text, Hex text, and uploaded .enc binary files. File mode processes the raw bytes directly, so you do not need to pick an encoding manually.

Why can't I use an ENCRYPTED PRIVATE KEY file directly?

Password-protected ENCRYPTED PRIVATE KEY files must be unlocked with a passphrase first. To keep this page lightweight and browser-only, it currently supports unencrypted PRIVATE KEY / RSA PRIVATE KEY files only.

What usually causes RSA decryption to fail?

The most common causes are a mismatched private key, a different OAEP hash than the one used during encryption, corrupted ciphertext, or input that is not the original encrypted output.

// cryptographic tool v2.0

RSA Decipher

Q: Why does RSA decryption require a private key?

RSA is an asymmetric algorithm. The public key encrypts data, while the matching private key decrypts it. Without the correct private key, RSA-OAEP ciphertext cannot be recovered.

CLIENT-SIDE ONLY

WEB CRYPTO API

Switch to Encryption Tool

⚙

Algorithm Configuration

Key Size

OAEP Hash

🔑

Key Material

Private Key (PEM)

RSA-OAEP decryption uses the private key (4096-bit / SHA-256) - it must match the public key used during encryption

⬇

Release to load the .enc file

CIPHERTEXT / INPUT

PLAINTEXT / OUTPUT

Decrypted file ready to download

Need encryption?

Ready - paste a private key and ciphertext, then click Decrypt

Algorithm

RSA

OAEP / SHA-256

Key Strength

4096

bits

Security Level

HIGH

Asymmetric

Decrypted

bytes this session

🔑

Why does RSA decryption require a private key?

RSA is an asymmetric encryption algorithm. The public key encrypts data, while the matching private key is required for decryption. The private key corresponds uniquely to the public key used on the encryption page, so a mismatched key will cause decryption to fail.

The private key must remain confidential. If it is lost, nobody, including the original data owner, can recover the matching ciphertext. Save the private key file carefully when it is generated.

📏

Key size must match the encryption setup

The selected key size should match the public key size used during encryption. If it does not, private key import can fail immediately because the key material does not line up.

In most cases, once you paste the correct PEM private key, the browser will work with the right length automatically. If import still fails, verify that both the key size and hash selection match the encryption settings.

⚙️

OAEP hash must match encryption exactly

The hash algorithm used for RSA-OAEP decryption must be identical to the one used during encryption. If the hash differs, decryption will fail or return invalid output.

If the encryption step used SHA-256, which is the recommended default, this page must also use SHA-256. If you are unsure, test the available hash options until the correct combination succeeds.

🔠

Input encoding: what format is the ciphertext in?

The encryption tool outputs encoded text. To decrypt it correctly, this page must use the same encoding so it can restore the original binary bytes before running RSA-OAEP decryption.

Base64 ciphertext uses letters, digits, and +/=. Hex ciphertext uses 0-9 and a-f, with two characters per byte. If you upload a binary .enc file, the encoding selector is ignored automatically.

📄

PEM format explained

1️⃣ What is PEM?
PEM (Privacy-Enhanced Mail) is a text format used to store and transfer keys and certificates. It Base64-encodes binary DER data and wraps it with header and footer lines such as -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----. Common labels include PUBLIC KEY, PRIVATE KEY, and CERTIFICATE. Because it is plain text, PEM is easy to copy, paste, and exchange across systems.

2️⃣ What other formats might you see?
- DER: a raw binary format that stores ASN.1 structures directly and is common in Java or certificate tooling.
- HEX: a hexadecimal string representation of DER bytes, useful for debugging or embedding byte data in code.
- Base64 without headers: the DER payload encoded as Base64 but without PEM wrappers, often used in compact configuration formats.
- PKCS#12 (PFX): a binary container that can package public and private keys together, usually protected with a password.

3️⃣ When should each format be used?
- PEM: the most universal choice for OpenSSL, web servers, API exchange, and manual key handling.
- DER: useful when binary storage is preferred or required by platform-specific tooling.
- HEX: handy for debugging and for situations where byte-level inspection matters.
- Base64 without headers: useful when the surrounding format does not allow PEM wrappers and you want a compact text payload.
- PKCS#12: best when you need to transport a certificate and private key together with password protection.