Encrypt Online
Theme
Privacy Tool inputs are processed in your browser and are not sent to us.

OpenSSL AES Decrypt & Compatibility Checker

Inspect Salted__ payloads, test the exact PBKDF2 recipe, and diagnose bad decrypt locally

Safety note: The payload and passphrase stay in your browser. This page tests one recipe at a time; it does not guess passwords or claim that AES-CBC output is authenticated.
Inspect the envelope, then test the original recipeStandard Salted__ AES-CBC payloads only
Paste Base64 or hex, or inspect a local OpenSSL file.
Selected boundary; the envelope does not store this number.
Which OpenSSL Payloads This Tool Supports

This checker handles standard passphrase-based openssl enc envelopes that begin with Salted__ and contain AES-128-CBC, AES-192-CBC, or AES-256-CBC ciphertext. PBKDF2 supports SHA-1, SHA-256, SHA-384, and SHA-512. The CryptoJS / old OpenSSL preset is limited to AES-256-CBC with EVP_BytesToKey and MD5.

Raw -K/-iv ciphertext, -nosalt, explicit OpenSSL 3 -S output without an embedded header, -nopad, GCM, CMS, and non-AES ciphers are intentionally unsupported.

Why OpenSSL Says Bad Decrypt

bad decrypt usually means the selected recipe did not produce valid CBC padding. Match the original passphrase, AES size, KDF, digest, iteration count, salt length, and Base64 handling before changing anything else. The error does not identify which one differs.

What the Salted__ Header Tells You

The marker identifies a compatible salted envelope shape. It does not prove that OpenSSL created the value and it does not store the cipher, KDF, digest, iteration count, passphrase, or salt length. OpenSSL 3.2 added -saltlen for PBKDF2, so decryption must use the same length that encryption used.

OpenSSL AES Decrypt FAQ
Does a successful result prove the passphrase is correct?

No. AES-CBC is not authenticated, and an incorrect recipe can occasionally produce valid padding. Treat the output as a candidate and verify its expected structure or checksum separately.

Why can the same Salted__ payload use different settings?

The envelope stores the marker, salt bytes, and ciphertext. It does not store the cipher, digest, KDF, or iteration count, so those settings must come from the original command or application.

Can this decrypt this site's normal encrypted text?

No. The homepage and generic Decrypt page use a different CryptoJS-compatible format and recipe. Use this checker only for the supported OpenSSL envelope described above.

Are the payload and passphrase uploaded?

No. Inspection, PBKDF2, and AES-CBC decryption run in the browser, and the page does not add inputs to the URL or browser storage.