Real encryption, not just obfuscation
ROT13 scrambles text. This tool actually encrypts it. There’s a massive difference. Under the hood, it uses AES-256-GCM: the same encryption standard governments and banks rely on. Your password gets run through PBKDF2 with 100,000 iterations to derive a proper encryption key. The output comes out as a Base64 string you can copy and share.
To decrypt? The recipient pastes the Base64 string back in, enters the same password, and clicks Decrypt. All of this runs in your browser via the Web Crypto API. Your text and your password never touch a server.
How it works
- AES-256-GCM for encryption, provides both confidentiality and authentication
- PBKDF2 key derivation with 100,000 iterations turns your password into a strong key
- Base64-encoded output for easy copying and sharing
- Random salt and IV each time, encrypting the same text twice produces completely different output
- All crypto operations run client-side via the Web Crypto API
- Encrypt and decrypt in the same tool
Step by step
Pick Encrypt or Decrypt mode. Enter your password (don’t forget it, there’s no recovery). Type or paste your text. Click the button. Copy the result.
Concrete example: you need to send “API key: sk-abc123xyz” to a colleague over Slack. Encrypt it with a password, send the Base64 string over Slack, then share the password over a phone call. Two different channels. That’s the right way to do it.
When to use this
Sending sensitive info through insecure channels: email and chat aren’t encrypted end-to-end by default. Encrypt the message here, send the ciphertext, share the password separately. Even if someone intercepts the message, they can’t read it without the password.
Private notes in cloud storage: storing sensitive notes in Google Docs or Notion? Encrypt them first. Even if someone accesses your account, the notes are unreadable without the password.
Sharing credentials with teammates: API keys, passwords, access tokens. Encrypt them before dropping them in a shared channel. Send the decryption password through a different medium.
Encrypted blocks in shared documents: some sections of a doc might be for certain eyes only. Encrypt those blocks. Only team members with the password can read them.
One big difference from ROT13: this is actual cryptographic security. ROT13 is a party trick. AES-256-GCM is what protects classified information. But the strength depends entirely on your password. Use at least 16 characters with mixed case, numbers, and symbols. And never send the password through the same channel as the encrypted message.
FAQ
Is this actually secure?
Yes. AES-256-GCM is NIST-approved and used by government agencies worldwide. With PBKDF2’s 100,000 iterations, brute-forcing the key is computationally infeasible. The weak link is always the password, make it strong.
Can I decrypt on a different computer?
Yes. The encrypted output is self-contained, salt and IV are embedded in the Base64 string. As long as you have the ciphertext and the correct password, any browser running this tool can decrypt it.
What if I forget the password?
It’s gone. Unrecoverable. No backdoor, no reset mechanism. That’s by design, it’s what makes the encryption trustworthy. Write the password down somewhere safe.
Why does the output change even with the same text and password?
Each encryption generates a random salt and a random initialization vector. This prevents pattern analysis, an attacker can’t tell that two ciphertexts contain the same message.
Does my data leave my device?
No. The Web Crypto API runs entirely in your browser. You can verify this by checking your network tab, zero requests during encryption or decryption.