XOR Cipher Tool

XOR is the simplest reversible byte operation, and a repeating-key XOR cipher is the classic teaching example of stream encryption. Type some text and a key to get a hex or Base64 result; paste that result back with the same key to recover the original. Everything happens in your browser, with nothing sent anywhere.

How to use the XOR Cipher Tool

Choose Encrypt to turn plain text into a cipher string, or Decrypt to turn a cipher string back into text. Enter a key — any text will do — and your input. In encrypt mode the output appears as hex or Base64 (your choice); in decrypt mode the tool reads that same format and gives back the original text.

The cipher is symmetric: encrypting with key secret and then decrypting the result with secret returns exactly what you started with. The key repeats over the length of the message, so a short key still covers a long input. Because the operation works on raw UTF-8 bytes, it handles accents, emoji, and any other Unicode correctly as long as you use the same key both ways.

Use Copy output to grab the result. If decryption produces garbled text, the key or the input format is wrong — XOR has no way to detect a bad key, so double-check both.

How XOR encryption works (and its limits)

XOR — exclusive or — compares two bits and outputs 1 only when they differ. Its defining property is that applying the same value twice cancels out: (A XOR K) XOR K = A. That makes it perfectly reversible. A repeating-key XOR cipher takes your message bytes and your key bytes, repeats the key to match the message length, and XORs them position by position. To decrypt, you XOR the cipher with the very same key and the original bytes fall right back out. There is no separate "decrypt algorithm" — it is the identical operation.

This simplicity is why XOR appears everywhere in computing: in one-time pads, as a building block inside real stream ciphers, in CTF challenges, and as lightweight obfuscation. When the key is truly random, as long as the message, and never reused, XOR is a one-time pad — provably unbreakable. That theoretical strength is the reason XOR is the heart of so many cryptographic constructions.

But a short, repeating, human-chosen key is not secure. Because the key cycles, the cipher is vulnerable to frequency analysis and known-plaintext attacks; tools can recover the key length from repetition patterns and then solve each key byte. Treat this as an educational and obfuscation tool, not real protection for sensitive data. For genuine confidentiality use a vetted authenticated cipher such as AES-GCM, where key management and integrity checks are handled properly.

Common use cases

  • Learning cryptography. See the reversible XOR property in action and understand why it underpins stream ciphers and one-time pads.
  • CTF and puzzles. Encode or decode repeating-key XOR challenges quickly without writing a script.
  • Light obfuscation. Scramble a non-sensitive string so it is not human-readable at a glance.
  • Format experiments. Compare how the same ciphertext looks as hex versus Base64.

Frequently asked questions

Is XOR encryption secure?
Not with a short, repeating key — it is easily broken by frequency analysis. It is provably secure only as a one-time pad: a truly random key as long as the message, used once. For real security use AES-GCM or similar.

Why is encrypt and decrypt the same operation?
XOR is self-inverse: applying the same key twice cancels out. So decrypting is just XORing the ciphertext with the identical key again.

What if my decrypted text is garbage?
The key or the input format is wrong. XOR cannot detect an incorrect key, so verify you are using the exact same key and the right hex/Base64 setting.

Does it handle emoji and accented characters?
Yes. The cipher operates on UTF-8 bytes, so any Unicode round-trips correctly when you encrypt and decrypt with the same key.