# Encrypt and Decrypt Files Securely

> AES-256 file encryption that runs entirely in the browser tab. Drag a file in, type a passphrase, get an encrypted bundle that the same tool decrypts back with the same passphrase. The Web Crypto API does the work — no key escrow, no server, no plaintext anywhere except your device's RAM. Fits the workflow for sharing a recovery code over Signal, archiving credentials, or sending a contract draft over a network you don't trust.


Live tool: https://lofttools.com/tools/security-tools/file-encryption

Category: Security & Privacy


## What it does

- AES-256-GCM authenticated encryption (Web Crypto API)
- PBKDF2 key derivation with 600,000 iterations and a per-file random salt
- Symmetric encrypt and decrypt in the same tool — no separate decrypter site needed
- Encrypted bundle includes salt + IV + ciphertext + auth tag — single file output
- Works on any file type up to browser memory limits
- Drag-and-drop or file-picker input
- Passphrase strength meter (zxcvbn)
- Wrong-passphrase decryption fails clean (auth-tag mismatch — no garbage output)
- No key escrow, no server, no logging

## How it works

1. **Select file** — Select the file you want to encrypt or decrypt
2. **Enter password** — Set a strong password for encryption or enter it for decryption
3. **Pick output format** — Choose a single .zip bundle (default) or a self-contained .encrypted file
4. **Download** — Download the encrypted bundle or decrypted file

## FAQ

### What encryption algorithm is used?

AES-256-GCM with PBKDF2 key derivation, which is military-grade encryption.

### Can I decrypt on another device?

Yes. Anyone with the encrypted file and the correct password can decrypt it using this tool.

### Is this cryptographically secure?

Yes. The tool uses the Web Crypto API for cryptographic operations, providing the same security level as native applications.

### What's inside the .encrypted-bundle.zip?

Two files — a `.enc` containing the raw AES-256-GCM ciphertext and a `.key.json` sidecar holding the PBKDF2 salt, AES-GCM IV, original filename, and algorithm metadata. The recipient unzips the bundle and feeds both files plus the password into the decrypt tool. Switch the Output format toggle to ".encrypted file" if you prefer one self-contained file instead.


## Privacy

This tool runs entirely in the browser. Files are not uploaded to a server. They never leave the user's device.

## More

- All tools: https://lofttools.com/tools
- Category: https://lofttools.com/tools/security-tools
- LLM index: https://lofttools.com/llms.txt