Encrypt and decrypt text using AES-GCM, AES-CBC, and AES-CTR modes with 256-bit keys. Compare encryption modes and understand their security tradeoffs.
Authenticated encryption (recommended). Detects tampering.
Select a mode, enter text and key, then encrypt or decrypt
AES-GCM(Galois/Counter Mode) combines encryption with a 128-bit authentication tag. If any bit of the ciphertext is modified, decryption fails entirely — preventing padding oracle and bit-flipping attacks that plagued CBC mode for years. GCM processes data at ~5 GB/s on modern CPUs with AES-NI hardware acceleration. It is the mandatory cipher suite in TLS 1.3 and the recommended mode for all new applications.
AES-CBC (Cipher Block Chaining) XORs each plaintext block with the previous ciphertext block before encryption. It requires PKCS#7 padding and a random 16-byte IV. CBC was the standard for decades but has known vulnerabilities: the BEAST attack (2011) exploited predictable IVs in TLS, and padding oracle attacks(Vaudenay 2002) can decrypt ciphertext by observing error responses. CBC is not authenticated — an attacker can modify ciphertext without detection unless you add a separate HMAC.
AES-CTR(Counter Mode) encrypts a counter value and XORs it with plaintext, effectively creating a stream cipher from a block cipher. No padding is needed, and encryption/decryption are identical operations. CTR enables parallel processing of blocks, making it faster than CBC on multi-core systems. However, like CBC, it provides no authentication. Reusing a counter/nonce with the same key is catastrophic — it reveals the XOR of two plaintexts.
| Mode | Auth | Padding | Parallel |
|---|---|---|---|
| GCM | Yes | No | Yes |
| CBC | No | PKCS#7 | No |
| CTR | No | No | Yes |
Use GCM for everything unless you have a specific reason not to. If you must use CBC or CTR, always add HMAC-SHA256 over the ciphertext to provide authentication (Encrypt-then-MAC pattern).
Each encryption uses a fresh random IV (Initialization Vector) and salt. This is essential for semantic security — without it, an attacker could determine when the same message is encrypted twice. The IV/salt are prepended to the ciphertext and are needed for decryption but do not need to be secret.
This tool embeds the mode in the ciphertext header, so decryption auto-detects the correct mode. In general, decrypting CBC ciphertext with CTR or vice versa produces garbage output. With GCM, the authentication tag check fails and decryption is rejected entirely — this is one of GCM's safety advantages.
AES-128 provides 128 bits of security, which is computationally unbreakable with current and foreseeable technology. AES-256 provides a margin against potential quantum computing attacks (Grover's algorithm halves the effective key length). For most applications, AES-128 is sufficient. Use AES-256 for government, financial, or long-term archival encryption. This tool uses AES-256 by default.