How to aes-256-gcm encrypt files in your browser
- Step 1Open the tool on the Pro plan and leave Mode on Encrypt — The AES-256 Encryptor requires the Pro plan; a Pro overlay blocks the tool otherwise. The Mode dropdown defaults to Encrypt — leave it there to protect a file. Switch to Decrypt only when you are reversing a previously encrypted
.aes. - Step 2Drop a single file — Upload any one file — the accepted input is
anytype, so documents, images, archives, anything works. The tool processes one file at a time (no batch). On the Free-tier overlay it is locked; on Pro the file-size ceiling is 100 MB (Pro + Media 500 MB, Developer 2 GB). - Step 3Enter a passphrase of at least 8 characters — Type your passphrase into the password-masked field (placeholder reads
At least 8 characters). Fewer than 8 characters is rejected before any work happens withPassphrase must be at least 8 characters.This is the only secret — there is no separate key file. - Step 4Run the encryption — PBKDF2 derives the 256-bit AES-GCM key from your passphrase and a freshly generated 16-byte salt; AES-GCM then encrypts the bytes under a fresh 12-byte IV. All of this runs in your browser tab via Web Crypto — nothing is uploaded.
- Step 5Download the .aes blob — The result is a Blob named
<original-filename>.aes(MIMEapplication/octet-stream). It contains the salt, IV, ciphertext, and GCM auth tag in one stream. Save it wherever you like — cloud storage, USB, email attachment. - Step 6Decrypt later by switching Mode to Decrypt — To reverse it, set Mode to Decrypt and drop the
.aesfile (the picker then also hints.aes). Enter the exact same passphrase. On success the tool strips the.aesextension and gives you back the original file; on a wrong passphrase or any tampering it throwsDecryption failed — wrong passphrase or corrupted file.
What the AES-256 Encryptor actually does
Every cryptographic parameter is fixed in the implementation (Web Crypto crypto.subtle). There is no UI to change key length, cipher, iteration count, salt size, or IV size — only Mode and passphrase are exposed.
| Parameter | Value (fixed in code) | Why it matters |
|---|---|---|
| Cipher | AES-GCM, 256-bit key | Authenticated encryption — detects tampering, no separate MAC needed |
| Key derivation | PBKDF2, 100,000 iterations, hash SHA-256 | Slows offline brute-force of a weak passphrase against a stolen .aes |
| Salt | 16 random bytes per encryption (crypto.getRandomValues) | Same passphrase yields a different key each time; defeats rainbow tables |
| IV / nonce | 12 random bytes per encryption | Standard GCM nonce length; randomised so identical files differ in ciphertext |
| Auth tag | GCM tag appended to ciphertext by Web Crypto | Wrong passphrase or a flipped byte makes decryption throw, not return garbage |
| Blob layout | salt (16 B) + iv (12 B) + ciphertext+tag (rest) | Self-contained — decrypt reads the first 28 bytes as salt+IV, the rest as ciphertext |
| Output name | Encrypt: <name>.aes · Decrypt: original name with .aes stripped | Round-trips a filename cleanly if you encrypted report.pdf then decrypt report.pdf.aes |
The two controls in the UI
These are the only inputs. No iteration slider, no cipher menu, no key-file upload, no batch list — anything not listed here does not exist in this tool.
| Control | Type | Default / rule | Notes |
|---|---|---|---|
| Mode | Dropdown: Encrypt / Decrypt | Defaults to Encrypt | Decrypt also makes the file picker hint .aes files |
| Passphrase | Masked password field | Minimum 8 characters, else rejected | Never transmitted; derived to a key locally via PBKDF2-SHA256 |
Plan limits for this tool
AES-256 Encryptor has a minimum tier of Pro and never accepts more than one file. Sizes are the security-family file limits per plan.
| Plan | Max file size | Files per run | Access to this tool |
|---|---|---|---|
| Free | 10 MB (family limit) | 1 | Locked — a Pro overlay blocks it (minTier = Pro) |
| Pro | 100 MB | 1 (no batch for this tool) | Unlocked |
| Pro + Media | 500 MB | 1 (no batch for this tool) | Unlocked |
| Developer | 2 GB | 1 (no batch for this tool) | Unlocked |
Cookbook
Concrete encrypt/decrypt workflows with the exact filenames, byte layout, and error strings the tool produces. Everything below runs in your browser tab — no upload, no server round-trip, no API.
Encrypt a single document before cloud upload
The everyday case: you want a sensitive PDF in your cloud drive but you do not trust the provider with the plaintext. Encrypt locally, then upload the .aes blob. The provider stores ciphertext it cannot read.
Mode: Encrypt Input file: tax-return-2025.pdf (1.4 MB) Passphrase: correct-horse-battery-staple What happens locally: salt = 16 random bytes iv = 12 random bytes key = PBKDF2(passphrase, salt, 100000, SHA-256) -> 256-bit AES-GCM key ct = AES-GCM(key, iv, file bytes) (auth tag appended) Output downloaded: tax-return-2025.pdf.aes (application/octet-stream) bytes = salt(16) + iv(12) + ciphertext+tag Now upload tax-return-2025.pdf.aes to the cloud.
Decrypt it back on another machine
On any browser, with the same tool and the same passphrase, reverse the process. The decrypt path reads the first 16 bytes as salt, the next 12 as IV, the rest as ciphertext, re-derives the key, and strips the .aes suffix from the filename.
Mode: Decrypt Input file: tax-return-2025.pdf.aes Passphrase: correct-horse-battery-staple Output downloaded: tax-return-2025.pdf (original bytes, byte-for-byte identical) If you typed a different passphrase, or the .aes was altered: Error: "Decryption failed — wrong passphrase or corrupted file."
Share a file and its passphrase over separate channels
Send the ciphertext and the secret through different paths so a single intercepted channel reveals nothing. The .aes blob is safe to email; the passphrase should travel another way.
Step 1 Encrypt design-mockups.zip -> design-mockups.zip.aes
Step 2 Email design-mockups.zip.aes to the recipient
Step 3 Send the passphrase over Signal / a phone call (NOT the same email)
Step 4 Recipient: Mode = Decrypt, drops design-mockups.zip.aes,
enters the passphrase -> gets design-mockups.zip back
Why: even if the email is intercepted, the ciphertext is useless
without the separately delivered passphrase.Verify a decrypted file is intact with a hash
AES-GCM already authenticates the ciphertext, but if you want an independent integrity check across the encrypt/decrypt round-trip, fingerprint the original and the decrypted output and compare. Use the sibling hash tool — see the FAQ for which one.
Before encrypt: run report.csv through Multi-Hash Fingerprinter sha-256 = 9f86d0818884... (record it) After decrypt: run the decrypted report.csv through the same tool sha-256 = 9f86d0818884... <- matches -> round-trip is lossless A mismatch would mean a wrong file, not a crypto fault: GCM would have refused to decrypt a tampered blob in the first place.
Choose a passphrase strong enough to resist offline guessing
PBKDF2 at 100,000 iterations slows brute-force, but a weak passphrase still falls. The minimum the tool enforces is 8 characters — that is a floor, not a recommendation. Audit your passphrase first.
Rejected outright by the tool: "hunter7" -> 7 chars -> "Passphrase must be at least 8 characters." Weak but accepted (audit it, then improve): "password" -> 8 chars, top of every cracking list Strong, accepted: "correct-horse-battery-staple-2031" (long passphrase, high entropy) Tip: paste a candidate into Password Entropy Auditor first to see its bits-of-entropy score before you commit a file to it.
Edge cases and what actually happens
Forgotten passphrase
Unrecoverable by designThere is no recovery, no backdoor, and no reset. The passphrase is derived to a key in your browser and never transmitted, so JAD never holds anything that could decrypt your file. If you lose the passphrase, the .aes blob is permanently unreadable. Store the passphrase in a password manager before you rely on this tool.
Passphrase shorter than 8 characters
RejectedThe tool checks length before doing any cryptographic work. A passphrase under 8 characters throws Passphrase must be at least 8 characters. and nothing is encrypted. This is a hard minimum enforced in code, not a UI suggestion you can override.
Wrong passphrase on decrypt
Decryption failedGCM verifies the authentication tag during decryption. A passphrase that does not match the one used to encrypt produces an invalid tag, so Web Crypto's decrypt rejects and the tool throws Decryption failed — wrong passphrase or corrupted file. You get a clear error, never silently corrupted output.
Tampered or truncated .aes file
Decryption failedBecause AES-GCM is authenticated, flipping a single byte of the ciphertext, salt, IV, or tag invalidates the auth tag and decryption fails with the same Decryption failed — wrong passphrase or corrupted file. message. The tool cannot return partial or 'best effort' plaintext from a damaged blob — integrity is all-or-nothing.
Encrypting a file that is already encrypted
SupportedNothing stops you from encrypting a .aes again — you simply get <name>.aes.aes wrapped in a second AES-GCM layer. To recover the original you must decrypt twice, in reverse order, with each passphrase. This is rarely useful; usually it means you forgot the file was already encrypted.
Decrypting a file that was not produced by this tool
Decryption failedDecrypt assumes the strict layout salt(16) + iv(12) + ciphertext+tag. A .aes from a different program (OpenSSL, 7-Zip, GPG, etc.) uses a different header and key-derivation scheme, so the first 28 bytes are not a valid salt+IV for this tool and the GCM tag will not verify — you get Decryption failed. This tool only round-trips its own blobs.
File larger than your plan limit
Exceeds limitFiles are size-checked before encryption. On Pro the ceiling is 100 MB (Pro + Media 500 MB, Developer 2 GB). Over the limit you get File "<name>" is <size> — exceeds the <limit> limit for your plan. Split or compress the file, or upgrade the plan.
Trying to use the tool on the Free plan
Pro requiredThe AES-256 Encryptor has a minimum tier of Pro. On Free a Pro overlay covers the tool reading AES-256 Offline Encryptor requires the Pro plan. and the encrypt/decrypt controls are not usable until you upgrade.
Wanting to encrypt several files at once
Single file onlyThis tool does not batch — it accepts one file per run. Encrypt each file individually (each gets its own random salt and IV), or bundle them into a single archive first and encrypt that one archive. There is no multi-file queue in the UI.
Expecting the original extension to come back after decrypt
ExpectedDecrypt only strips a trailing .aes. If you encrypted report.pdf you get report.pdf.aes, and decrypting that returns report.pdf correctly. But if you renamed the blob to, say, secret.bin, decrypt cannot know the original name — it just removes a .aes suffix if present, otherwise hands back the same base name. Keep the .aes suffix to preserve the round-trip.
Frequently asked questions
Can JAD or anyone else decrypt my file without the passphrase?
No. The passphrase is turned into a key in your browser via PBKDF2 and is never transmitted. JAD has no copy of your passphrase, your derived key, or your file — encryption happens entirely in your browser tab. Lose the passphrase and the file is unrecoverable; this is a deliberate property, not a limitation we can work around.
What encryption does this actually use?
AES-256 in GCM mode (authenticated encryption) via the Web Crypto API. The key is derived from your passphrase with PBKDF2 using 100,000 iterations of SHA-256 and a fresh 16-byte random salt, and each encryption uses a fresh 12-byte random IV. These parameters are fixed in code — there is no setting to change the cipher, key length, or iteration count.
Why does encrypting the same file twice give different output?
Each run generates a new random 16-byte salt and 12-byte IV. Different salt means a different derived key even with the same passphrase, and different IV means different ciphertext. This is intentional: it prevents anyone from telling that two .aes blobs hold the same plaintext, and it defeats precomputed rainbow-table attacks.
What is inside the .aes file?
One self-contained stream laid out as salt (16 bytes) + IV (12 bytes) + ciphertext with the GCM authentication tag appended. The MIME type is application/octet-stream. To decrypt, the tool reads the first 16 bytes as salt, the next 12 as IV, and the remainder as authenticated ciphertext — nothing external is required except the same passphrase.
What happens if I enter the wrong passphrase when decrypting?
Decryption fails cleanly with Decryption failed — wrong passphrase or corrupted file. AES-GCM verifies an authentication tag, so a wrong key produces an invalid tag and Web Crypto refuses to decrypt. You never get silently corrupted or partial output — it either returns the exact original bytes or it errors.
Will it detect if my encrypted file was tampered with?
Yes. GCM is authenticated encryption, so any change to the salt, IV, ciphertext, or tag invalidates the auth tag and decryption fails with the same Decryption failed error. You cannot get altered plaintext out of a modified .aes blob — integrity verification is built into the decrypt step.
Is AES-256 safe against quantum computers?
Symmetric AES-256 retains roughly 128-bit effective security against Grover's algorithm, which is still considered safe well beyond 2030. The bigger practical risk is a weak passphrase, since PBKDF2 only slows guessing — it cannot rescue a passphrase that is short or common. Pick a long, high-entropy passphrase.
How strong does my passphrase need to be?
The tool enforces a minimum of 8 characters and rejects anything shorter. That is a floor, not a recommendation — a long passphrase or passphrase of several random words is far stronger. PBKDF2 at 100,000 iterations slows brute-force, but a stolen .aes plus a weak passphrase can still be cracked offline. Audit candidates with Password Entropy Auditor before committing a file.
Can I encrypt several files at once?
No — this tool processes one file per run and there is no batch queue. Encrypt files individually (each gets its own random salt and IV), or zip them into one archive and encrypt the single archive. To encrypt many files as part of a pipeline, note that this tool is browser-only and has no server API.
How big a file can I encrypt?
The AES-256 Encryptor requires the Pro plan, where the security-family limit is 100 MB per file. Pro + Media raises it to 500 MB and Developer to 2 GB. Over the limit you get File "<name>" is <size> — exceeds the <limit> limit for your plan. Everything runs in the browser, so very large files are also bounded by your device's available memory.
Can I verify the file survived the round-trip unchanged?
Yes — fingerprint the original before encrypting and the output after decrypting, then compare. Use Multi-Hash Fingerprinter to get matching SHA-256 (and other) digests. For longer-term tamper monitoring of a stored file, see File Integrity Monitor. For confirming a file's true type before you encrypt it, Entropy Analyzer can show whether bytes already look encrypted/compressed.
Is this the right tool for sending an encrypted message to someone with a public key?
No — this is passphrase-based symmetric encryption, so both sides share the same secret. For public-key workflows (sign a message, verify a signature, or encrypt to someone's key without a shared passphrase), use PGP Message Signer instead. Use the AES-256 Encryptor when you control both ends or can deliver the passphrase over a separate secure channel.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.