Symmetric Encryption Tutorial
Detailed guide, best practices, and FAQ
Use Cases
The symmetric encryption tool is useful for sensitive data transmission, config file encryption, API key protection, database field encryption, etc. Supports both international AES-256 and Chinese standard SM4: AES for global use, SM4 for compliance with Chinese cryptographic regulations. Both run locally in the browser; keys never leave the device.
Features
- AES-256-GCM: recommended mode with authentication tag, tamper-detecting
- AES-256-CBC: legacy compatibility, no authentication
- SM4-ECB/SM4-CBC: Chinese standard symmetric cipher (GB/T 32907-2016), 128-bit key
- Password-derived: AES uses PBKDF2 (100k iter + SHA-256); SM4 uses SM3 + salt
- Hex key: AES 64 hex / SM4 32 hex for advanced users
- Fully local: Web Crypto API + pure JS SM4, key never leaves the browser
- UTF-8 safe: correctly handles non-ASCII characters like Chinese
Examples
Example 1: Scenario 1: Encrypt an API key for note storage — input the key, set a password, choose AES-GCM, click Encrypt, save the base64 ciphertext; decrypt later when needed.
Example 2: Scenario 2: Send a private message to a colleague — encrypt with a shared password, send the ciphertext via chat/email, the recipient decrypts with the same password.
Example 3: Scenario 3: Chinese compliance — financial/government systems requiring SM4; choose SM4-CBC mode, share the key via a secure channel.
Best Practices
- Prefer AES-GCM mode — authenticated, tamper-resistant
- For Chinese compliance, choose SM4-CBC (with IV, safer than ECB)
- Password at least 12 chars with mixed case, digits, symbols
- Higher PBKDF2 iterations = more secure (this tool uses 100,000)
- Always pair ciphertext with HTTPS to prevent MITM attacks
- Share hex keys only via secure channels (offline, password manager) — never in plaintext
FAQ
Will my password be uploaded?
No. All encryption/decryption is done locally in your browser; password and key never leave your device.
How to choose between AES and SM4?
Use AES-256-GCM for international use or when no compliance is required (more secure, authenticated). Use SM4 for Chinese compliance (finance/government/MLPS). Different key lengths: AES 256-bit, SM4 128-bit.
How to choose between GCM and CBC?
GCM is recommended — it has an authentication tag to detect tampering. CBC is only for legacy systems; no authentication, more vulnerable.
What is the ciphertext format?
AES password mode: base64(salt[16] + iv + ciphertext); Hex mode: base64(iv + ciphertext). SM4-CBC password mode: base64(salt[16] + iv[16] + ciphertext); SM4-ECB has no IV.
What if decryption fails?
Check: 1) correct password/key 2) algorithm mode matches encryption 3) full ciphertext copied 4) correct key source (password/hex) selected.