Cipher Workbench
Drag any of 70+ operations into a pipeline. Decode, encode, encrypt, hash, transform. Magic mode auto-detects encoding chains. Pipelines save to your browser. Files never leave your device.
Operations
Pipeline
Input
Output
How to use Cipher Workbench
A quick tour. The tool is built around a left-to-right flow: input on the right, operations in the middle, library on the left. Output appears below the input.
1. Drop in some input
Type, paste, or drag a file into the Input textarea on the right. Files up to 5 MB are loaded as text if printable, otherwise as a hex dump. Use the Paste button if your browser blocks navigator.clipboard.read.
2. Add operations to the pipeline
Search the left library by name, click an operation to add it, or drag it onto the pipeline. Each operation has its own params (key, format, regex, etc.) shown inline.
The output of each step feeds the next. Reorder with the up/down buttons or by dragging. Disable a step with the off button to compare results without removing it.
3. Read the output
The output panel shows the final result of the whole pipeline. Switch between Text, Hex, and Base64 views. Click ↑ Use as input to feed the output back as a fresh input for the next experiment.
4. Magic auto-decode
Paste a string you can't identify and click Magic auto-decode. The tool tries 30+ common decode chains (Base64, hex, URL, ROT13, Atbash, gzip, JWT, Morse, Unicode escapes, zero-width hide…) and ranks the candidates by how English-like the output looks. Click any row to apply that chain.
5. Save and share
- Save stores your pipeline by name in your browser. Reload anytime from Load.
- Share link copies a URL with the whole pipeline encoded in the hash. Anyone who opens it gets the same setup, no account needed.
- Export script shows a shell-style sketch of what the pipeline does for documentation.
Common use cases
Decode a JWT
Paste the token. Add JWT Decode. Header and payload appear as JSON. To verify the signature, add JWT Verify HS256 and paste your secret.
Read a base64-gzipped JSON blob
Add From Base64 → Gzip Inflate → JSON Pretty. Or skip the thinking and click Magic — the chain ranks first.
Crack a CTF cipher
Try Letter frequency first — if one letter clearly dominates, you're looking at a substitution cipher. Use ROT N with the cycle dial, or Vigenère Decrypt with a guessed key. Shannon entropy tells you whether the text is encrypted (high entropy) or just encoded (lower).
AES encrypt a string
Add AES Encrypt, set mode (GCM is safest), paste your hex key (32 chars = AES-128, 64 chars = AES-256), and a hex IV (12 bytes for GCM, 16 for CBC/CTR). The output is base64. The matching AES Decrypt reverses it.
Hash a password
Add SHA-256 for a quick fingerprint. For real password hashing use bcrypt or argon2 in production — these fast hashes are for fingerprinting, not credential storage.
Find hidden text in a string
If a message looks like normal text but feels off, try Zero-width extract. Some sites hide messages using invisible Unicode (ZWNJ / ZWJ). The output is the recovered text.
Identify a binary file
Drop the file. Take the hex output, add Magic byte detect. It identifies common formats (PNG, PDF, ZIP, ELF, PE, JPEG, MP3 and more) from the first few bytes.
FAQ
Is anything uploaded to a server?
No. Every operation runs in your browser using JavaScript or WebCrypto. The Gzip and SHA3 libraries are loaded from a public CDN the first time you use them, but the data you process never leaves your device. Open your browser's Network tab and watch — you'll see no upload of your input.
How does Magic mode work?
It tries about 30 common decoder chains against your input (single steps and 2-3 step combinations). For each output that's still printable, it scores by printable-character ratio and English dictionary hit rate. JSON-shaped, URL-shaped, or word-rich outputs get bonus points. The top 15 are listed; click any to apply.
My AES decrypt errors out — why?
AES is unforgiving. Check: key length matches the algorithm (16 bytes = AES-128, 24 = AES-192, 32 = AES-256), IV length matches the mode (12 bytes for GCM, 16 for CBC/CTR), and the ciphertext is intact base64. With AES-GCM, even one wrong byte in the auth tag causes a decrypt failure.
Can I drop a binary file?
Yes — the file picker accepts any file up to 5 MB. If the file looks printable (text, JSON, source code) it loads as text. Otherwise the input is filled with a hex dump that you can chain with From Hex back to bytes, or Magic byte detect to identify the format.
How is this different from CyberChef?
Same idea, smaller scope. CyberChef has 300+ operations and a much heavier interface. This tool covers the 80 you actually use — encoding, classical ciphers, modern crypto, hashing, JWT, compression, regex, JSON — in a faster page that loads in under a second. No login, no telemetry, dark and light themes, your pipeline survives reloads.
My share link is huge.
It encodes the whole pipeline plus your input as base64 in the URL hash. Long inputs make long URLs. Clear the input before copying the link if the recipient just needs the pipeline structure.