Encryption Tool
By Alex • Published: 6 November 2025 • Updated: 6 November 2025
Client-Side File Encryption and Decryption Tool – A browser-based utility that applies modern AES-GCM encryption to your files using a password-derived key, with all cryptographic operations performed locally for maximum privacy.
In the Encrypt tab above, choose a file, set a password, and click
Encrypt file. The browser derives a key from your password, encrypts the file, and
downloads a new file with the .caenc extension. Keep both the encrypted file and
the password somewhere safe.
In the Decrypt tab, select a previously encrypted .caenc file and
enter the same password. If everything matches, the browser will download a decrypted copy.
If the password is wrong or the file has been modified, decryption will fail.
All of this happens locally in your browser. The file data and password are never sent to this site, a server, or any external service. Closing the page clears everything from memory apart from any copies you have saved to disk.
At a Glance
- Encrypts and decrypts files locally in your browser using a password-derived key.
- Uses AES-GCM with a random salt and IV for every encryption.
- The password never leaves your device; there is no server-side component.
- Designed as a simple, transparent helper for personal use and demonstrations.
- If you forget the password, there is no recovery path – the data is effectively lost.
You are responsible for how you use this tool and for any data encrypted with it. This tool cannot recover lost credentials.
Client-Side File Encryption
Encrypt and decrypt files locally in your browser using a password-derived key. Files and passwords never leave this device. If you forget the password, the data cannot be recovered.
Cryptography details: AES-256-GCM with a key derived from your password using PBKDF2 (SHA-256)
and a high iteration count. A random salt and IV are generated for every encryption. The encrypted
file format is: [salt (16 bytes)][iv (12 bytes)][ciphertext].
Context, threat model and limitations
This tool sits in the “practical crypto” space: it shows how password-based encryption can be implemented with modern browser APIs, and it is suitable for small personal files or demonstrations where you want to keep data off a server. It is not a replacement for a full enterprise key management system, an audited product, or a structured backup process.
The threat model assumed here is that your main risk is someone gaining access to a copy of the encrypted file – for example, through a lost USB stick or cloud account – and trying to decrypt it offline. Using a strong, unique passphrase makes that offline attack impractical. What this tool does not protect you from is a compromised device, malware with keylogging capabilities, or someone looking over your shoulder while you type the password.
In short: if your device is already compromised, browser-based encryption cannot save you. Equally, if you choose a weak or reused password, you are giving an attacker a much easier job. Treat the password as seriously as you would for your primary email or password manager account.
When this tool is a good fit
- Encrypting a small number of personal files before storing them somewhere you don’t fully control.
- Demonstrating password-based encryption and decryption in teaching, workshops or talks.
- Testing how AES-GCM and password-derived keys behave in a zero-knowledge, browser-only setup.
When you should look for something else
- You need centralised key management, access control, or audit trails.
- You are handling highly regulated data with formal compliance requirements.
- You need multi-user sharing, automatic backups, or integration with other systems.
Cryptographic design choices
Under the hood, this page uses the window.crypto.subtle API provided by your
browser. A random salt and initialisation vector (IV) are
generated for every encryption. The password is turned into a key using PBKDF2 with SHA-256
and a high iteration count, and that key is then used with AES-256-GCM to encrypt the file.
The encrypted file format is deliberately simple:
[salt (16 bytes)][iv (12 bytes)][ciphertext].
This makes it easier to explain, inspect, or port to another environment if you want to
write a compatible decryptor in a different language.
As with any small browser tool, this implementation relies on the security of your browser, operating system and hardware. Subtle cryptographic flaws or implementation bugs are beyond the scope of what a single static page can hope to detect, but the approach here follows well-understood patterns from modern cryptography rather than inventing anything new.
My background and why I built this
I built this tool as part of a broader set of CyberAlex projects to make security concepts concrete and transparent. My background is in Computer Security and Cyber Security, Risk & Resilience, with formal study covering cryptography, secure software design, and how real attacks play out in practice rather than just in theory.
The goal here is not to claim this page is a silver bullet, but to give you a clear, inspectable example of client-side file encryption done in a way that lines up with modern guidance. If you have ideas for improvements, want to sanity-check the approach, or would like to see other tools in this space, feel free to reach out via the contact link below.
Questions, change log and sharing
Questions
If you have feedback, spot an issue, or want to suggest improvements to this page or tool, you’re welcome to get in touch.
Contact AlexChanges
A record of changes to this page.
- 06-12-2025 – Publication
Dates are in UK format (day–month–year).