ChaCha20-Poly1305 Encrypt & Decrypt

Free online ChaCha20-Poly1305 Encrypt & Decrypt tool. 100% local processing — your data never leaves your device.

National Standards
Legacy
Output

Result will be displayed here...

Input Encrypt

Usage Guide

About ChaCha20-Poly1305

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) cipher, combining the ChaCha20 stream cipher with the Poly1305 message authentication code. Designed by Daniel J. Bernstein, it is standardized in RFC 8439 and adopted in TLS 1.3, SSH, and WireGuard as a primary cipher suite. It provides both confidentiality (encryption) and integrity (authentication) in a single operation, preventing both eavesdropping and ciphertext tampering. ChaCha20-Poly1305 was developed as a software-friendly alternative to AES-GCM for platforms without hardware AES acceleration.

Modern TLS Standard: ChaCha20-Poly1305 is one of the two mandatory cipher suites in TLS 1.3 (alongside AES-256-GCM). It is the preferred choice on mobile and IoT devices, and is comparable in security to AES-256-GCM on all platforms.

Usage Steps

This tool supports both encryption and decryption. The key is required; the nonce is auto-generated if left empty:

1. Generate or Enter KeyClick the random button next to 'Secret Key (Hex)' to generate a random 32-byte (256-bit) key, or enter your own 64-character hex string
2. Nonce (optional)Leave blank to auto-generate a random 12-byte nonce for each encryption. For decryption, the nonce is embedded in the ciphertext — leave this field empty
3. EncryptEnter the plaintext in the input box, select 'Encrypt', and click 'Encrypt'. The output is a base64 string containing the 12-byte nonce prepended to the ciphertext+tag
4. DecryptPaste the base64 ciphertext into the input box, select 'Decrypt', enter the same key used for encryption, and click 'Decrypt'
Privacy Protection: All ChaCha20-Poly1305 operations run entirely in your browser using WebAssembly. No data is ever sent to a server — completely offline processing.

Key and Nonce Format

ChaCha20-Poly1305 uses fixed-size parameters:

Key32 bytes (256 bits) — enter as a 64-character hex string, or use the random generator
Nonce12 bytes (96 bits) — enter as a 24-character hex string, or leave blank for auto-generation. Never reuse the same nonce with the same key
Ciphertext Formatbase64(nonce[12 bytes] + ciphertext + authentication tag[16 bytes]). The nonce is prepended so decryption is self-contained
Tag16 bytes (128 bits) Poly1305 authentication tag, appended automatically during encryption and verified automatically during decryption
Never Reuse Nonces: Reusing the same (key, nonce) pair completely breaks ChaCha20-Poly1305 security — it allows an attacker to recover the keystream and decrypt all messages. Always use a unique nonce for each encryption, or let this tool auto-generate one.

ChaCha20-Poly1305 vs AES-GCM

Both are AEAD ciphers in TLS 1.3. Here is when to choose each:

ChaCha20-Poly1305Preferred on mobile, ARM, and IoT devices without hardware AES. Constant-time in software, resistant to timing attacks. No hardware accelerator needed
AES-GCMPreferred when AES-NI hardware instructions are available (most modern x86/x64 CPUs). Significantly faster with hardware acceleration
Security EquivalenceBoth provide 256-bit key strength and 128-bit authentication tags. Neither is considered stronger than the other from a security standpoint
TLS 1.3 StrategyTLS 1.3 implementations negotiate: AES-GCM on servers/desktops with AES-NI; ChaCha20-Poly1305 on mobile clients without hardware AES

FAQ

Q: Why is the output longer than the input?

A: The encrypted output is base64-encoded and includes: 12 bytes of nonce + plaintext length + 16 bytes of Poly1305 authentication tag. So the binary overhead is 28 bytes (12 nonce + 16 tag), and base64 encoding adds approximately 33% additional length. This is the standard overhead for any AEAD cipher that provides both encryption and authentication.

Q: What happens if I tamper with the ciphertext?

A: ChaCha20-Poly1305 will refuse to decrypt the tampered ciphertext. The Poly1305 tag is a message authentication code computed over the entire ciphertext. Any modification — even a single bit — causes tag verification to fail, and the decryption function returns an error rather than producing corrupted plaintext. This is the core security guarantee of AEAD ciphers: you cannot modify ciphertext without detection.

Q: How is ChaCha20-Poly1305 different from plain ChaCha20?

A: Plain ChaCha20 is a stream cipher that provides only confidentiality — it encrypts data but does not detect tampering. An attacker can flip bits in the ciphertext and it decrypts to corrupted (but undetected) plaintext. ChaCha20-Poly1305 combines ChaCha20 encryption with a Poly1305 authentication tag, providing both confidentiality and integrity. The “-Poly1305” suffix signals authenticated encryption. Always prefer ChaCha20-Poly1305 over bare ChaCha20 for any practical use.

Q: Can I use the same key for multiple messages?

A: Yes, but each message must use a unique nonce. The (key, nonce) pair must never be reused. With 12-byte nonces, random nonce generation gives a birthday-bound collision probability of approximately 1 in 296 — safe for billions of messages. If you encrypt a very large number of messages with the same key (billions+), consider rotating the key periodically. The auto-generate feature in this tool produces a cryptographically random nonce for each encryption.

Q: Is ChaCha20-Poly1305 resistant to quantum computers?

A: Like all symmetric ciphers, ChaCha20-Poly1305 is affected by Grover's algorithm, which halves the effective key strength — reducing 256-bit security to 128-bit equivalent. 128-bit post-quantum security is considered sufficient for most applications for the foreseeable future (NIST recommends 128-bit as the minimum). ChaCha20-Poly1305 with its 256-bit key is therefore considered quantum-resistant at the 128-bit security level. For comparison, AES-256-GCM offers the same post-quantum security level.

Q: Why does decryption fail with 'invalid key, nonce, or ciphertext'?

A: This error means the authentication tag verification failed. Common causes:
Wrong key: The key used for decryption does not match the key used for encryption. Keys must be identical (same 64-char hex string).
Corrupted ciphertext: The base64 string was modified, truncated, or pasted incorrectly. Ensure you copy the full output without extra spaces or newlines.
Decrypting non-ChaCha20-Poly1305 data: The input was encrypted with a different algorithm or tool. The nonce must be prepended in the format used by this tool (first 12 bytes of the decoded base64).

Use Cases

Recommended: Symmetric File and Message Encryption

ChaCha20-Poly1305 is an excellent general-purpose symmetric encryption choice. It encrypts data and authenticates it in a single pass, preventing both eavesdropping and tampering. It is used in WireGuard VPN for all tunnel traffic and is one of the two primary cipher suites in TLS 1.3. For encrypting messages, files, or data at rest with a shared secret key, ChaCha20-Poly1305 provides modern security with a straightforward API. Always generate a new random nonce per message and transmit it alongside the ciphertext (this tool prepends it automatically).

Recommended Configuration:
  • ✅ ChaCha20-Poly1305 (recommended for mobile, cross-platform, software-only)
  • AES-256-GCM (recommended when AES-NI hardware is available)
  • ✅ XChaCha20-Poly1305 (extended 24-byte nonce, for large-volume messaging)
  • ❌ Don't use unauthenticated ciphers (AES-CBC, plain ChaCha20) for new projects
Recommended: Mobile and IoT Encryption

On platforms without hardware AES acceleration — smartphones, embedded systems, IoT devices — ChaCha20-Poly1305 outperforms AES-GCM in both speed and security. Because ChaCha20 is a software-friendly algorithm, it runs in constant time on all platforms without timing side-channel risks. Google chose ChaCha20-Poly1305 as the preferred cipher for Android TLS traffic for exactly this reason. If your use case involves low-power devices or software-only environments, ChaCha20-Poly1305 is the better choice over AES.

Recommended Configuration:
  • ✅ ChaCha20-Poly1305 (best performance without hardware AES)
  • ✅ AES-256-GCM (acceptable on devices with AES hardware)
  • 💡 TLS 1.3 negotiates automatically — both cipher suites are mandatory
  • ❌ Don't use AES-CBC on constrained devices (no authentication, slower)
Acceptable: Encrypted Local Storage

ChaCha20-Poly1305 can protect sensitive data stored locally — configuration files, credentials, export archives. Derive the key from a user password using a key derivation function like Argon2id rather than using the password directly. Store the nonce alongside the encrypted data (this tool embeds it in the output). Ensure the KDF parameters (salt, iterations) are also stored so the key can be re-derived for decryption.

Recommended Configuration:
  • ✅ ChaCha20-Poly1305 + Argon2id key derivation (password-based encryption)
  • ✅ AES-256-GCM + PBKDF2 (FIPS-compliant environments)
  • 💡 Store: Argon2id params + salt + ChaCha20 nonce + ciphertext
  • ❌ Don't use ECB mode or unauthenticated ciphers for local storage
Not Recommended: Large File Encryption

ChaCha20-Poly1305 in its standard form is designed for messages up to ~64 GB (the ChaCha20 counter is 32 bits, giving 232 × 64-byte blocks). For practical large-file encryption, prefer a streaming AEAD construction that splits data into chunks (e.g., age, libsodium secretstream). The standard ChaCha20-Poly1305 also buffers the entire ciphertext before authenticating, which is memory-intensive for large files. For files over a few megabytes, use a dedicated tool or library that handles chunked encryption.

Recommended Configuration:
  • 💡 Use chunked AEAD for files larger than a few MB
  • ✅ libsodium secretstream (streaming ChaCha20-Poly1305)
  • ✅ age encryption tool (file-oriented, uses ChaCha20-Poly1305 internally)
  • ✅ AES-256-GCM in streaming mode (for hardware-accelerated environments)
Not Recommended: Key Exchange or Authentication

ChaCha20-Poly1305 is a symmetric cipher — both parties must already share the same secret key. It does not solve the key distribution problem. For secure key exchange over an untrusted network, use an asymmetric protocol: X25519 (Diffie-Hellman key exchange), or a full protocol like TLS 1.3 (which uses ChaCha20-Poly1305 after the handshake). For authentication without shared secrets, use RSA or ECDSA digital signatures. ChaCha20-Poly1305 alone cannot authenticate identities.

Recommended Configuration:
  • ❌ ChaCha20-Poly1305 doesn't solve key distribution
  • ✅ TLS 1.3 (handles key exchange + ChaCha20-Poly1305 data encryption)
  • ✅ X25519 + ChaCha20-Poly1305 (Noise protocol pattern)
  • ✅ RSA / ECDSA for digital signatures and identity verification
Not Recommended: Password Hashing

ChaCha20-Poly1305 is an encryption algorithm, not a password hash function. Encryption is reversible — anyone with the key can decrypt the password. Password storage requires a one-way function that is deliberately slow and memory-hard. For password hashing, use Argon2id (preferred) or bcrypt. Never store passwords encrypted — always store them hashed.

Recommended Configuration:
  • ❌ Don't use ChaCha20-Poly1305 for password storage (it's reversible)
  • Argon2id (preferred password hashing algorithm)
  • bcrypt (widely supported, existing systems)
  • ✅ scrypt / PBKDF2 (alternative password KDFs)

Best Practice Summary

  • Use ChaCha20-Poly1305 for symmetric encryption where AES hardware acceleration is unavailable — mobile, IoT, and cross-platform software.
  • Always use a unique random nonce for each encryption. The tool auto-generates one if you leave the nonce field empty.
  • The ciphertext output embeds the 12-byte nonce and 16-byte authentication tag — you only need to store the single base64 string for decryption.
  • Never reuse a (key, nonce) pair. Nonce reuse completely breaks ChaCha20-Poly1305 security.
  • For password-based encryption, derive the key with Argon2id first — never use a password directly as a ChaCha20-Poly1305 key.

Discussion & Feedback

0 comments
Me