Decrypt zero-knowledge Sealed Vault content using only your passphrase. This page runs entirely in your browser. Nothing you type here is sent anywhere.
Pick the source of the text you are decrypting. Each one uses a different key derivation, so the wrong choice will fail even with the right passphrase.
This is the long block of random-looking letters and numbers, not your passphrase.
Case does not matter for word phrases; this tool lowercases and trims them automatically to match how Notenz encrypted them.
All three formats use the same building blocks: PBKDF2 (a slow, salted password stretcher) to turn your passphrase into a 256-bit key, then AES-256-GCM (an authenticated cipher) to decrypt the content and verify it has not been tampered with. This is standard, widely reviewed cryptography, implemented using your browser's built-in Web Crypto API. No cryptography library is loaded from anywhere; the code is the few dozen lines visible in this page's source.
Two-Person Secret or Shared-Key Vault Item (phrase): the ciphertext is base64 of salt (16 bytes) plus IV (12 bytes) plus AES-GCM output. Key derivation is PBKDF2-SHA256 with 100,000 iterations over your lowercased, trimmed passphrase.
Shared-Key Vault Item (raw key): the ciphertext is base64 of IV (12 bytes) plus AES-GCM output. No PBKDF2 step; the key you enter is used directly as the 256-bit AES key.
Sealed Vault or QR-Vault Private Secret: the ciphertext is base64 of IV (12 bytes) plus AES-GCM output, with no salt inside it. The salt is stored and shown separately (600,000 PBKDF2-SHA256 iterations, matching the higher-security tier used for Sealed Vault).