Tool inputs are processed in your browser. We don't log or transmit what you paste.
privategram

AES Text Encryption

Encrypt and decrypt text with AES-GCM 256-bit. Password-derived key via PBKDF2 (default) or Argon2id. All client-side, Web Crypto-based.

Cipher: AES-GCM 256-bit via Web Crypto SubtleCrypto (built into your browser by the engine vendor). KDF: PBKDF2-SHA256 (Web Crypto) or Argon2id (via hash-wasm, lazy-loaded).

About this tool

AES-GCM 256-bit is the symmetric cipher that protects most of the modern internet — TLS uses it for record encryption, Signal uses it for message confidentiality, and the Web Crypto API ships it as a first-class primitive. This tool exposes it directly: type some text, type a password, get back a self-contained ciphertext string that only the same password can decrypt.

The password isn't used as the AES key directly — passwords are too short and too low-entropy. Instead, a key derivation function stretches the password into a fixed-size cryptographic key. Two are offered:

  • PBKDF2-SHA256 (default, no extra download) — applies SHA-256 thousands of times to the password+salt. The default 310,000 iterations matches OWASP's current 2023 recommendation for web-based derivation. The ciphertext records the iteration count, so future ciphertexts can use higher counts without breaking older ones.
  • Argon2id (advanced, ~50 KB WASM lazy-loaded) — the modern best-practice KDF, designed to be memory-hard. PBKDF2 can be cracked efficiently on GPUs and dedicated ASIC hardware because it's CPU-bound; Argon2id forces the attacker to allocate gigabytes of RAM per guess, drastically reducing parallelism. Default parameters: t=3 (time cost), m=64 MiB (memory), p=1 (parallelism). Adjustable.

Output format. The ciphertext is a single colon-separated string starting with the version prefix pgv1:. After the prefix come the KDF identifier (pbkdf2 or argon2id), the KDF parameters (iteration count for PBKDF2; t/m/p for Argon2id), the random salt, the random IV, and the ciphertext — all base64-encoded, all self-contained. The full string is everything you need to decrypt; no separate "key file" or external metadata. Documented format means anyone with a Web Crypto implementation can decrypt it.

Critical correctness invariant. AES-GCM requires a unique IV per (key, message) pair. Reusing an IV with the same key catastrophically leaks the plaintext of both messages — this is AES-GCM's single sharpest footgun. This tool generates a fresh random 12-byte IV for every encryption call. There is no caching of IVs, no session-level reuse, no batching. Any future change to this tool that adds IV reuse would be a critical bug.

Privacy. Plaintext, password, and ciphertext live in component state for the lifetime of the tab. Nothing is written to URL hash, localStorage, or cookies. Open DevTools → Network and confirm no requests fire when you encrypt or decrypt — the only requests on this page are the initial load (HTML, JS, fonts, ads) and the lazy WASM blob if you choose Argon2id.

Frequently asked questions

Where does the encryption happen?

In your browser, using the Web Crypto API (SubtleCrypto) — the same cryptographic primitives implemented and audited by the Chrome, Firefox, and Safari engineering teams. Your plaintext and password do not leave the page. You can verify this in DevTools → Network: typing in the fields and clicking Encrypt makes zero network requests.

What if I lose the password?

The ciphertext is unrecoverable. AES-GCM with a password-derived key has no backdoor and no reset link. That is the entire point — it is also the entire risk. Treat passwords for valuable encrypted data the same way you treat seed phrases for a crypto wallet: write them down, store them safely, never trust your memory alone.

PBKDF2 vs Argon2id — which should I use?

PBKDF2 is the default. It is built into the Web Crypto API, runs without any extra download, and at 310,000 iterations is OWASP-blessed for current attack budgets. Argon2id is the modern recommendation against well-funded attackers with GPU/ASIC hardware — it requires memory, not just CPU, which dramatically increases the cost of large-scale cracking. Argon2id requires a ~50 KB WASM blob to load. Use PBKDF2 for general use, Argon2id when the data is high-value and you don't mind the slightly slower derivation.

Can I decrypt this somewhere else?

The output format is documented and self-contained — the salt, IV, KDF parameters, and ciphertext are all included. Anyone who knows the format and has a Web Crypto / Argon2id implementation can decrypt it. The format starts with "pgv1:" and uses base64 + colons. We treat this as a tool for your own data, but the format is intentionally open: privategram is the convenience interface, not the gatekeeper.

Why does the ciphertext look different every time?

Each encryption uses a fresh random 12-byte initialization vector (IV) and a fresh random 16-byte salt. This is the correct AES-GCM behavior and a critical security property — reusing an IV with the same key would catastrophically leak both messages. The same plaintext encrypted twice produces two different ciphertexts, which is what you want.

Is there an upload limit?

Practical limit is your browser's memory and the page's ability to display the output. Tens of MB of plaintext should encrypt in a second or two. The output ciphertext is roughly 1.4× the size of the plaintext (base64 overhead) plus a few hundred bytes of header.

Related tools