Decrypt your encrypted messages with our free Online AES Decryption Tool. Paste the ciphertext, supply the secret key that was used to encrypt it, and recover the original plaintext. All processing happens in your browser — no data is sent to a server.
AES is a symmetric cipher, so the same key encrypts and decrypts. This tool is the reverse of the AES Encryption Tool: feed it the ciphertext and the matching key, and it reconstructs the original message. Without the correct key, AES cannot be reversed in any practical timeframe.
With the correct key and ciphertext, the original plaintext is restored exactly:
Key: my-secret-passphrase
Ciphertext: U2FsdGVkX1+3xY9pQr2...Plain text: Attack at dawnDecryption reverses encryption: it takes the ciphertext and the secret key and reconstructs the original plaintext. AES is symmetric, so the key you use here must be the exact same one used during encryption — including the same passphrase-based key derivation. The tool also needs the salt/IV that was generated at encryption time; when those are embedded in the ciphertext payload (as is standard), decryption reproduces the bytes faithfully.
If the key is wrong, you do not get a "close" plaintext — you get either an explicit error (a padding or authentication failure) or meaningless bytes. That is by design: AES has no notion of "almost right." This is what makes it secure, and also why losing the key means the data is gone for good. Authenticated modes like GCM add a verification tag so tampered ciphertext is rejected outright rather than decrypted to garbage.
Because decryption runs entirely in your browser, your key and ciphertext never leave your device — important when handling sensitive material. Always confirm the ciphertext came from a trusted source, and never paste a real production secret into an untrusted online tool. To generate fresh strong keys, use the Password Generator.
When you click Decrypt, the tool performs the same key-derivation step that encryption used, then reverses the cipher. Because AES itself works on a raw key (256 bits by default) rather than a human passphrase, the two steps below reconstruct that key from your secret key plus a salt that is embedded in the ciphertext:
Salted__ followed by an 8-byte random salt, so the tool splits off the salt and keeps only the real ciphertext that follows. Every step runs locally inside your browser through the Web Crypto-compatible crypto-js library. Your secret key and ciphertext are never transmitted over the network, logged, or persisted after you leave the page.
Look closely at any ciphertext this tool accepts and you will notice it almost always starts with U2FsdGVkX1. That is not a coincidence — it is base64 for the literal string Salted__, which is how the OpenSSL format signals that a random salt follows:
base64("Salted__" + 8-byte-salt + real-ciphertext)
^^^^^^^^^ ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^
marker random salt AES-CBC outputThe salt is not secret — its job is to ensure that encrypting the same message twice with the same key produces two different ciphertexts. The salt must be sent alongside the ciphertext, otherwise the key cannot be re-derived and decryption is impossible. This is why you should copy the entire base64 string, not a truncated middle portion.
Because the salt is baked into the payload, you only need to remember your passphrase — there is no separate "salt" or "IV" field to manage. The Encrypt tool generates a fresh random salt on every run and bundles it into the output for you.
This tool uses AES-CBC (Cipher Block Chaining) with PKCS#7 padding, the OpenSSL default and the most widely interoperable mode for passphrase-based encryption. It is fast and well-supported, but it is not authenticated — it has no way to prove the ciphertext was not tampered with, so a modified payload decrypts to garbage (or throws a padding error) rather than being rejected outright.
AES-GCM is an authenticated mode that appends a verification tag. If a single bit of the ciphertext is altered, GCM detects it and refuses to decrypt. GCM is preferred for modern systems that need integrity guarantees, but it is a different format and is not interchangeable with the CBC output this tool produces — an OpenSSL/CryptoJS CBC ciphertext will not decrypt in a GCM tool, and vice versa.
If you are unsure which mode produced your ciphertext, the Salted__ prefix is a reliable tell: it is emitted by CBC passphrase-based encryption (the format this tool expects). Raw hex or binary payloads without that marker were likely produced by a different library or mode and may need their native tool to decrypt.