Skip to content
TextArray
100% local

XOR cipher

XOR every byte of your text with a repeating key — encrypt and decrypt in one tool.

Input

XOR cipher

XOR is the smallest cipher there is: every byte of the input is combined with a byte of the key, the key repeating as long as needed, and running the result through the same key restores the original exactly. That symmetry makes one tool do both jobs — encrypting and decrypting are the same operation with the formats swapped. Encrypt by pasting text and reading hex or Base64 out; decrypt by switching the input format to hex or Base64 and the output format to text.

The key can be given as plain text, hex bytes or Base64, so a challenge that hands you a key like 0x1f37 is typed in directly. All processing is byte-level UTF-8, which means accented text and emoji round-trip losslessly, and the tally reports how many input bytes and key bytes were used. Hex input tolerates whitespace and an 0x prefix; Base64 accepts both the standard and URL-safe alphabets.

Worth saying plainly: repeating-key XOR is not security. It is famously breakable with frequency analysis — which is exactly why it appears in every CTF, cryptography course and reverse-engineering write-up. This tool is for those: solving and setting challenges, de-obfuscating strings found in binaries or malware configs, testing parsers, or explaining why XOR alone fails. For actually protecting a message, use the AES-based encrypt text tool instead.

Everything runs locally in your browser — plaintexts, ciphertexts and keys never leave your device, and the key field is masked and never stored.

FAQ

How do I decrypt something I encrypted here?
Swap the formats: paste the hex or Base64 ciphertext, set the input format to match it, set the output format to text, and use the same key. XOR is its own inverse, so the identical operation restores the plaintext.
Is XOR encryption secure?
No. A repeating key leaks patterns that classic frequency analysis breaks in seconds — this is the textbook attack behind many CTF challenges. Treat XOR as obfuscation and a learning tool; for real secrecy use the encrypt text tool, which does AES-256 with a key derived from your password.
Why is my text output full of odd characters?
XOR produces arbitrary bytes, and most byte sequences are not valid UTF-8 text. That is why hex is the default output. Text output is meant for the decryption direction, where the result really is text.
What do the key formats mean?
Text treats what you type as UTF-8 bytes. Hex reads pairs of hex digits (whitespace and an 0x prefix are fine), and Base64 decodes standard or URL-safe Base64. A key that does not parse in its declared format produces a calm error instead of a wrong result.
Is my text or key uploaded anywhere?
No. The XOR runs entirely in your browser, the key field is masked, never persisted, and nothing ever leaves your device.