AesBridge is a modern, secure, and cross-language AES encryption library. It offers a unified interface for encrypting and decrypting data across multiple programming languages. Supports GCM, CBC, and legacy AES Everywhere modes.

This is the Java implementation of the core project.
👉 Main repository: https://github.com/mervick/aes-bridge

• 🛡️ AES-256 encryption - Industry-standard 256-bit encryption
• 🔐 Multiple modes - GCM (recommended) and CBC with HMAC
• ↩️ Legacy CBC - For backward compatibility with projects using AES Everywhere (legacy OpenSSL-compatible mode).
• 🌍 Cross-language compatibility - Unified implementation across languages
• ✨ Secure by design - Proper key derivation and cryptographic best practices

Open your project's pom.xml file and add the following dependency the <dependencies> section. If the section doesn't exist, create it within the <project> root element.

<dependencies>
  <dependency>
    <groupId>dev.mervick.aesbridge</groupId>
    <artifactId>aes-bridge</artifactId>
    <version>2.0.0</version>
  </dependency>
</dependencies>

The main class AesBridge exposes convenient static methods to encrypt and decrypt data:

import dev.mervick.aesbridge.AesBridge;
// import dev.mervick.aesbridge.CBC;
// import dev.mervick.aesbridge.GCM;
// import dev.mervick.aesbridge.Legacy;

public class Example {
    public static void main(String[] args) throws Exception {
        String message = "My secret message";
        String passphrase = "MyStrongPass";

        byte[] plaintext = message.getBytes("UTF-8");
        byte[] passBytes = passphrase.getBytes("UTF-8");

        // Encrypt using the default GCM mode
        byte[] encrypted = AesBridge.encrypt(plaintext, passBytes);
        System.out.println("Encrypted GCM: " + new String(encrypted, "UTF-8"));
        // Decrypt using the default GCM mode
        byte[] decrypted = AesBridge.decrypt(encrypted, passBytes);
        System.out.println("Decrypted GCM: " + new String(decrypted, "UTF-8"));

        // Encrypt using CBC mode
        byte[] encryptedCBC = AesBridge.encrypt(plaintext, passBytes, "CBC");
        System.out.println("Encrypted CBC: " + new String(encryptedCBC, "UTF-8"));
        // Decrypt using CBC mode
        byte[] decryptedCBC = AesBridge.decrypt(encryptedCBC, passBytes, "CBC");
        System.out.println("Decrypted CBC: " + new String(decryptedCBC, "UTF-8"));

        // Encrypt using legacy OpenSSL-compatible mode
        byte[] encryptedLegacy = AesBridge.encrypt(plaintext, passBytes, "LEGACY");
        System.out.println("Encrypted Legacy: " + new String(encryptedLegacy, "UTF-8"));
        // Decrypt using legacy mode
        byte[] decryptedLegacy = AesBridge.decrypt(encryptedLegacy, passBytes, "LEGACY");
        System.out.println("Decrypted Legacy: " + new String(decryptedLegacy, "UTF-8"));
    }
}

dev.mervick.aesbridge.AesBridge

Encrypts the given plaintext using AES-256-GCM mode (default) with the provided passphrase.

• Parameters:
  • plaintext — the data to encrypt (byte array)
  • passphrase — the secret key passphrase (byte array)
• Returns: Encrypted data in raw binary format following the structure above.
• Throws: Exceptions on encryption failure.

Decrypts data encrypted with AesBridge.encrypt() using AES-256-GCM.

• Parameters:
  • ciphertext — the encrypted data in the binary format described above
  • passphrase — the secret key passphrase used for encryption
• Returns: Decrypted plaintext as a byte array.
• Throws: Exceptions on decryption or authentication failure.

Encrypts data with the specified AES mode.

• Parameters:
  • plaintext — data to encrypt (byte array)
  • passphrase — secret passphrase (byte array)
  • mode — one of "GCM", "CBC", or "LEGACY"
• Returns: Encrypted data as a byte array.
• Throws: Exceptions on encryption failure or invalid mode.

Supported modes:

• "GCM" — AES-GCM 256-bit encryption.
• "CBC" — AES-CBC 256-bit encryption with HMAC-SHA256 authentication.
• "LEGACY" — Legacy AES-CBC encryption compatible with OpenSSL enc command.

Decrypts data using the specified AES mode. Input format must match the output format of the corresponding encrypt method.

• Parameters:
  • ciphertext — encrypted data (byte array)
  • passphrase — secret passphrase (byte array)
  • mode — one of "GCM", "CBC", or "LEGACY"
• Returns: Decrypted plaintext as a byte array.
• Throws: Exceptions on decryption failure, authentication failure, or invalid mode.

dev.mervick.aesbridge.GCM

The GCM mode is the recommended AES encryption mode providing authenticated encryption with associated data using AES-256-GCM.

Encrypts the given plaintext with AES-256-GCM and returns Base64 encoded data. The encrypted format is:
salt(16) + nonce(12) + ciphertext + tag(16)

• Parameters:
  • plaintext — Data to encrypt.
  • passphrase — Encryption passphrase.
• Returns: Base64-encoded byte array containing the encrypted data.
• Throws: Exception on encryption errors.

Decrypts Base64-encoded data encrypted with encrypt(). Checks authenticity using GCM's built-in tag.

• Parameters:
  • ciphertext — Base64 encoded encrypted data.
  • passphrase — Passphrase for decryption.
• Returns: Decrypted plaintext bytes.
• Throws: Exception on decryption or authentication failures.

Encrypts data using AES-GCM and returns raw binary output without Base64 encoding.

• Parameters:
  • plaintext — Data to encrypt.
  • passphrase — Passphrase for encryption.
• Returns: Raw binary encrypted data: salt(16) + nonce(12) + ciphertext + tag(16)
• Throws: Exception on encryption errors.

Decrypts raw binary encrypted data produced by encryptBin(). Verifies authentication tag.

• Parameters:
  • ciphertext — Raw binary encrypted data.
  • passphrase — Decryption passphrase.
• Returns: Decrypted plaintext bytes.
• Throws: Exception on decryption or authentication errors.

dev.mervick.aesbridge.CBC

The CBC mode in AesBridge provides AES-256-CBC encryption combined with HMAC-SHA256 authentication for data integrity, with PBKDF2 key derivation.

Encrypts the given plaintext using AES-256-CBC with PKCS5 padding and calculates an HMAC-SHA256 tag for integrity. Returns the output as Base64-encoded binary data with the format:
salt(16) + iv(16) + ciphertext + HMAC(32)

• Parameters:
  • plaintext — The data to encrypt (can be byte[], String, or any object convertible to bytes).
  • passphrase — The secret passphrase for encryption (same flexibility as plaintext).
• Returns: Byte array containing the Base64-encoded encrypted result.
• Throws: Exception on encryption errors.

Decrypts data previously encrypted with encrypt(). Verifies the HMAC tag to ensure data integrity and authenticity. Input must be Base64-encoded and must follow the format described above.

• Parameters:
  • ciphertext — Base64-encoded encrypted data.
  • passphrase — The secret passphrase used for decryption.
• Returns: Byte array of the decrypted plaintext data.
• Throws: SecurityException if HMAC verification fails, or other exceptions on decryption errors.

Encrypts the given data using AES-256-CBC with HMAC-SHA256, returning raw binary data without Base64 encoding.

• Parameters:
  • plaintext — The data to encrypt.
  • passphrase — The encryption passphrase.
• Returns: Raw binary encrypted data: salt(16) + iv(16) + ciphertext + HMAC(32)
• Throws: Exception on encryption errors.

Decrypts raw binary encrypted data generated by encryptBin(). Verifies HMAC before decryption.

• Parameters:
  • ciphertext — Raw binary encrypted data.
  • passphrase — The passphrase for decryption.
• Returns: Raw decrypted data.
• Throws: SecurityException if HMAC validation fails, or other exceptions on error.

dev.mervick.aesbridge.Legacy

⚠️ These functions are maintained solely for backward compatibility with older systems. While they remain fully compatible with the legacy AES Everywhere implementation, their use is strongly discouraged in new applications due to potential security limitations compared to GCM or CBC with HMAC.

Encrypts data using OpenSSL-compatible legacy AES-256-CBC with an ASCII "Salted__" header and salt. Outputs Base64 encoded encrypted data.

• Parameters:
  • data — Data to encrypt.
  • passphrase — Encryption passphrase.
• Returns: Base64-encoded byte array containing encrypted data.
• Throws: Exception on encryption errors.

Decrypts Base64-encoded data encrypted with the legacy encrypt(). Expects the "Salted__" header in input.

• Parameters:
  • data — Base64 encoded encrypted data.
  • passphrase — Passphrase used for encryption.
• Returns: Decrypted plaintext bytes.
• Throws: IllegalArgumentException if input format is incorrect, and other exceptions on decryption errors.

• Encrypts with AES-256-GSM using PKCS#5 padding.
• Strong authenticated encryption with nonce and tag integrity.
• Uses PBKDF2 key derivation with 100,000 iterations.
• Output format binary: salt(16) + nonce(12) + ciphertext + tag.
• Output format base64: base64(salt(16) + nonce(12) + ciphertext + tag(16)).

• Encrypts with AES-256-CBC using PKCS#5 padding.
• Adds HMAC-SHA256 for authentication (verify data integrity and authenticity).
• Uses PBKDF2 key derivation with 100,000 iterations.
• Output format binary: salt(16) + IV(16) + ciphertext + HMAC(32).
• Output format base64: base64(salt(16) + IV(16) + ciphertext + HMAC(32)).

• Compatible with the OpenSSL command-line enc format.
• Uses OpenSSL's EVP_BytesToKey key derivation based on MD5.
• Output format: Base64 string containing Base64("Salted__" + salt(16) + ciphertext).
• Not recommended for new applications due to weaker security properties.