IQ
PayloadIQ
PayloadIQ Utilities

Text Encrypt & Decrypt

Encrypt text, API keys, and secrets with a passphrase. Share ciphertext safely with AI coding agents — they decrypt and wire the secret in without ever printing it in plaintext.

Tip: press ⌘/Ctrl + Enter to run.
🔒 AES-256-GCM · PBKDF2-SHA-256 · 210 000 iterations · everything runs in your browser — nothing is sent anywhere.

Runs in your browser. Your input is not uploaded to PayloadIQ.

Share secrets with AI agents — without exposing them

Here is the workflow: encrypt your API key or secret with a passphrase, paste the ciphertext into chat, and tell the agent the passphrase separately (or set it as an environment variable). The agent decrypts the ciphertext, stores it as a secret, wires it into the project, and validates it — never echoing the raw key in plain text. Even if your chat history is leaked, the ciphertext is useless without the passphrase.

Encryption details

The tool uses AES-256-GCM with a key derived from your passphrase via PBKDF2-SHA-256 at 210 000 iterations (OWASP 2023 recommendation). A fresh 16-byte random salt and 12-byte IV are generated for every encryption, so encrypting the same text twice produces a different ciphertext — preventing pattern analysis.

Self-describing ciphertext format

Output is a compact base64url string (URL-safe, no padding) with a 36-byte header that carries everything a decryptor needs — including the salt and iteration count — so the cost can be tuned over time without breaking old blobs: base64url( magic[3] || version[1] || iterations[4] || salt[16] || iv[12] || ciphertext+tag[N+16] ). Decrypt it with any AES-256-GCM implementation given the passphrase.

Zero uploads

All cryptographic operations run through the browser's built-in Web Crypto API. Nothing is sent to any server — no text, no key material, no metadata. Inspect the network tab to verify.

FAQ

Which encryption algorithm is used?
AES-256-GCM — the 256-bit variant of AES in Galois/Counter Mode. GCM provides both confidentiality and authenticated integrity: if anything is tampered with, decryption fails. The key is derived from your passphrase with PBKDF2-SHA-256 at 210 000 iterations (OWASP 2023 recommendation), salted with 16 random bytes.
Can an AI coding agent decrypt this without human help?
Yes — if you share the ciphertext in chat and tell the agent the passphrase (ideally in a separate message or environment variable). The agent calls the same AES-256-GCM / PBKDF2 algorithm, recovers the plaintext, stores it as a secret, and never needs to echo it back. The ciphertext itself reveals nothing without the passphrase.
What is the wire format of the ciphertext?
A 36-byte header followed by the ciphertext: a 3-byte magic ("PIQ"), a 1-byte version, a 4-byte big-endian PBKDF2 iteration count, a 16-byte salt, a 12-byte AES-GCM IV/nonce, then the ciphertext (which includes a 16-byte authentication tag appended by the Web Crypto API). The whole thing is base64url-encoded (URL-safe, no padding). Because the salt and iteration count travel inside the blob, it is self-describing — any AES-GCM library can decrypt it given the passphrase.
Is anything sent to a server?
No. The Web Crypto API runs entirely inside your browser — no data leaves your machine. There is no server, no analytics on the encrypted content, and no account required.
How strong does my passphrase need to be?
210 000 PBKDF2 iterations slow down brute-force attacks significantly, but a short or common passphrase can still be guessed. Use at least 16 characters of mixed case, digits, and symbols, or a random passphrase of 5+ uncommon words (diceware style).

Related utilities

Hash GeneratorPassword GeneratorBase64 Encode / DecodeJWT DecoderURL Encode / DecodeHTML Entity Encode / DecodeJSON Escape / UnescapeURL Parser
Open PayloadIQ Playground