All posts
June 12, 20265 min read

AES-256-CBC vs AES-256-GCM: which mode, and why

AES is the encryption algorithm; CBC and GCM are two ways of using it, called modes of operation. They are not interchangeable, and for new work the choice is usually clear. The difference comes down to one thing: authentication.

What CBC does, and does not do

CBC (Cipher Block Chaining) encrypts data in blocks, each one mixed with the previous block's output so identical plaintext does not produce identical ciphertext. It keeps your data confidential. What it does not do is tell you whether the ciphertext was tampered with. An attacker who flips bits in CBC ciphertext can cause predictable changes in the decrypted output, and CBC alone will happily decrypt it without complaint.

To use CBC safely you must add a separate authentication step (an HMAC over the ciphertext) and verify it before decrypting. Getting that combination right is easy to get subtly wrong, and many real vulnerabilities have come from CBC used without proper authentication.

What GCM adds

GCM (Galois/Counter Mode) is an authenticated mode. It encrypts and, in the same operation, produces an authentication tag that proves the ciphertext (and any associated data) was not modified. On decryption, if the tag does not match, decryption fails outright. You get confidentiality and integrity from one primitive, with no separate HMAC to wire up.

This category is called AEAD, authenticated encryption with associated data, and it is what modern protocols like TLS 1.3 standardized on.

Which to choose

For new work, prefer GCM (or another AEAD mode). It removes an entire class of mistakes by making authentication non-optional. Reach for CBC only when you must interoperate with an existing system that requires it, and then only with a correct encrypt-then-MAC construction.

One GCM caveat: never reuse the same key and nonce pair, as that breaks its guarantees. Libraries that generate a fresh random nonce per message handle this for you.

The Encrypt / Decrypt Text tool uses AES-256-GCM in your browser, so you get authenticated encryption with nothing uploaded. For why encoding is not encryption at all, see base64 is not encryption.