XOR Cipher

How to use

1. 1Choose how your message is encoded: plain text, hex, or Base64. Use text to encrypt readable input, or hex and Base64 to decrypt ciphertext.
2. 2Type or paste the message. Hex tolerates spaces, commas, and a leading 0x; Base64 accepts standard and URL-safe forms.
3. 3Enter the key and pick its encoding. A short key repeats across the message; a key as long as the message acts as a one-time pad.
4. 4Read the result as hex, Base64, or decoded text. XOR output is usually binary, so the hex and Base64 rows are what you copy.
5. 5To decrypt, paste the hex or Base64 ciphertext back into the message field with the matching encoding and apply the same key.
6. 6Use Copy on any output row, or Use hex as input to round-trip and confirm the cipher reverses cleanly. Everything stays in your browser.

About this tool

XOR Cipher encrypts and decrypts a message by combining its bytes with the bytes of a key using the bitwise exclusive-or operation, the building block behind stream ciphers and the one-time pad. The defining property of XOR is that it is its own inverse: for any message byte m and key byte k, (m XOR k) XOR k returns m exactly. That single fact is why this tool has no separate encrypt and decrypt buttons for the cipher itself. Running the same key over the ciphertext recovers the plaintext, so encryption and decryption are the same operation, and the only thing that differs between the two directions is which encoding your input and output happen to be in. Because XOR works on raw bytes rather than letters, the tool makes the byte boundary explicit instead of hiding it. The message and the key can each be entered as plain UTF-8 text, hexadecimal, or Base64, and the result is shown three ways at once: hex, Base64, and decoded text when every output byte is printable. This matters because XOR ciphertext is almost always non-printable binary. Encrypting a readable sentence produces byte values that do not map to readable characters, so the normal way to carry XOR output around is hex or Base64, and the normal way to decrypt is to paste that hex or Base64 back in and pick the matching input encoding. The tool handles the key the way real implementations do: if the key is shorter than the message it repeats from the start, which makes a one-byte key a single-byte XOR and a key as long as the message a one-time pad. A live byte breakdown lines up the first sixteen message bytes against the key bytes and the resulting output bytes so you can see the operation position by position, and the stats panel reports the message, key, and output byte counts along with whether the key has reached one-time-pad length. About security, the tool is honest. A short repeating key is weak: the repetition lets an attacker line up positions that share a key byte and break each one with the same frequency and Kasiski techniques that defeated the Vigenere cipher, just on bytes instead of letters. Reusing a key across two messages is worse, because XORing the two ciphertexts cancels the key and leaks the XOR of the plaintexts. XOR is only provably unbreakable as a one-time pad, meaning a key that is truly random, at least as long as the message, and never reused. Treat this tool as the right way to learn how XOR works, to encode or decode XOR challenges in capture-the-flag puzzles, to debug XOR-obfuscated data, or to apply lightweight reversible obfuscation, and reach for a vetted cipher such as AES when you need real confidentiality. Every byte of math runs in your browser. The message, the key, and the result are never uploaded, logged, or stored.

Free to use. Works in your browser. No signup, no login.