Mirror of the CryptoJS AES-256-CBC + IV-hex-prefix pattern used by Adonis/Express middlewares (and similar). Paste the encrypted payload + secret key to decrypt, or paste plaintext to produce a payload your server can decrypt with the same library. 100% in your browser — keys never leave your machine.
Decode SSL/TLS certificates
Encrypt & decrypt with AES-256
Check website security headers
Hash & verify bcrypt passwords
Generate placeholder text
Convert timestamps to dates
Exactly what the middleware below produces — 32-char hex IV concatenated with the CryptoJS AES base64 ciphertext (which starts with U2FsdGVkX1 because CryptoJS uses OpenSSL's salted format when the key is a string passphrase).
// Server-side encryption (Adonis middleware)
const iv = CryptoJS.lib.WordArray.random(16)
const enc = CryptoJS.AES.encrypt(JSON.stringify(data), secretKey, {
iv, mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7, keySize: 256/32
})
return iv.toString(CryptoJS.enc.Hex) + enc.toString()No — when CryptoJS receives a string as the key, it runs OpenSSL's KDF (EVP_BytesToKey) which derives BOTH the actual key and IV from the passphrase + an embedded 8-byte salt. The iv you pass in the config is overwritten by the derived value. The 32-char IV prefix the middleware emits is therefore cosmetic — but kept here for byte-for-byte compatibility, and stripped automatically before decryption.
No. Decryption and encryption happen entirely in your browser via the CryptoJS library loaded from a CDN. Neither the secret key nor the payload ever leaves your machine — the page makes no XHR/fetch calls during the operation.
Almost always one of:
CryptoJS.enc.Utf8.parse(secretKey) instead of a string — that bypasses OpenSSL KDF and you'd need explicit IV + raw key bytes// Mirrors the middleware
const decryptData = (payload, secretKey) => {
const cipherText = payload.substring(32) // skip cosmetic IV
const bytes = CryptoJS.AES.decrypt(cipherText, secretKey)
return JSON.parse(bytes.toString(CryptoJS.enc.Utf8))
}