What Passphrase Encryption Does
You have a message you want only one specific person to read. You don't want it sitting in plaintext in their email or your sent folder. Passphrase encryption converts the message into a meaningless-looking blob that can only be turned back into the original by someone who knows the passphrase. The Text Encrypter does this with AES-256-GCM — the same algorithm that protects HTTPS, Signal, WhatsApp, and FileVault.
The flow is: you encrypt with a passphrase you both already know (or share separately), the recipient decrypts with the same passphrase. The encrypted output can travel through any insecure channel — email, Slack, a public Pastebin — because without the passphrase it's gibberish.
How the Microapp Text Encrypter Works
Type the message you want to encrypt. Pick a passphrase (the recipient must also know it). Click Encrypt. A base64 blob appears containing the encrypted message plus everything the decrypter needs to read it back: the salt, the IV, and the ciphertext, all packed into one string with a magic header so the paired Online Decrypter recognizes the format.
Encryption uses the Web Crypto API, which is built into every modern browser. PBKDF2 with 250,000 iterations stretches your passphrase into a 256-bit AES key. AES-256-GCM encrypts and authenticates the message. The whole flow runs locally in your browser — there is no server, no network call, no logging.
The package is at 4 PM with passphrase ravenwolf-37-blue. Output starts with TUFQUDEAAA... (the magic header in base64) followed by ~120 random-looking characters of salt + IV + ciphertext. Re-encrypt the same message with the same passphrase — the output looks completely different, because the IV and salt are fresh every time. Both decrypt back to the same plaintext with the same passphrase.
Why This Is Actually Secure
Three pieces have to be strong for the encryption to be strong: the algorithm, the key derivation, and the passphrase.
Algorithm: AES-256-GCM. NIST's recommended cipher for confidentiality plus authentication. No known practical attack against AES-256 exists. Even quantum computers (whenever they arrive) only halve the key strength via Grover's algorithm, leaving 128-bit security — still impractical to brute-force.
Key derivation: PBKDF2 with 250,000 iterations. Your passphrase isn't used directly as the AES key — it's stretched through 250k rounds of HMAC-SHA256 first, with a random 16-byte salt. This makes brute-forcing the passphrase ~250,000x slower than guessing it directly: an attacker testing a million passwords/second on raw passphrase would need to test 4 passwords/second through PBKDF2 instead.
Passphrase: depends entirely on you. A 4-character passphrase is brute-forceable in seconds even with PBKDF2. A 5-random-word passphrase ("correct-horse-battery-staple-pickle") survives all known attacks for centuries. The algorithm and the KDF protect strong passphrases; weak passphrases are weak regardless.
Choosing a Strong Passphrase
The XKCD math is real: long is better than complex. P@ssw0rd! has fewer effective combinations than correct horse battery staple because attackers know the substitution patterns ($ for s, @ for a, 0 for o) and try them first. Random words from a list of 7,776 (the EFF wordlist) give 13 bits of entropy per word; 5 words = 65 bits, which is unbreakable in any reasonable time.
Other strong patterns: a sentence you'll remember, with consistent randomization (capitals, numbers, punctuation): My-cat-Dexter-likes-tuna-fish-92!. The point is length plus unpredictability — not "complex-looking."
How to Share the Passphrase
Out of band. Through a different channel than the encrypted text. If you emailed the ciphertext, send the passphrase by SMS or in person. If both end up in the same place (same email thread, same chat, same screenshot), an interceptor of the channel has both — and the encryption is defeated.
Quick rule: if forwarding the conversation thread would also forward the passphrase, you've combined them. Move the passphrase to a different medium.
Common Pitfalls
Sending the passphrase in the same email. "Here's the encrypted message. The password is 'fluffy'." Now your encrypted message is just a slow plaintext message. Send the passphrase separately or pre-arrange it.
Reusing the same passphrase across messages. Not catastrophic (each message has a fresh IV and salt, so re-using the passphrase doesn't enable known-plaintext attacks the way it would in worse algorithms). But it does mean compromising one message reveals all of them. Use distinct passphrases for distinct sensitive conversations.
Trusting the encryption to compensate for an insecure browser. If your machine is compromised — keylogger, malicious extension, browser exploit — the attacker captures your plaintext before it reaches encryption. Encryption protects data in transit, not data on a compromised endpoint.
Saving the passphrase in plain text. Don't email it to yourself. Don't put it in Notes app unencrypted. Use a password manager (1Password, Bitwarden) or memorize it.
What This Is and Isn't For
Good for: ad-hoc encrypted messages over insecure channels, sending sensitive snippets to someone who won't install GPG, encrypting notes to your future self before pasting into a less-private place.
Not good for: systems where you need key management at scale (use proper PKI), file encryption (use age, gpg, or OS-level encryption like FileVault), encrypting things you can't afford to lose (web tools can be compromised; offline tools are safer for high-stakes encryption).
Related Tools
For decrypting (the other half of this pair), use the Online Decrypter. To hash passwords for storage (different problem from encryption), see the Bcrypt Generator. For random passphrases, the Password Generator is the right tool. For one-way hashes that prove file integrity, see the SHA-256 Generator.