AES-CBC vs AES-GCM: Choosing an AES Mode

AES itself only defines how to encrypt a single 16-byte block. To encrypt anything larger, you need a “mode of operation” that describes how successive blocks relate to each other. CBC and GCM are two of the most common modes, and picking between them isn't just a performance choice — it changes what security guarantees you actually get.

CBC — confidentiality only

Cipher Block Chaining XORs each plaintext block with the previous ciphertext block before encrypting it, using a random initialization vector (IV) to seed the first block. This hides patterns in the plaintext well, but CBC provides no way to detect tampering — an attacker can flip bits in the ciphertext and, depending on how the application handles the result, sometimes cause predictable changes in the decrypted plaintext without ever needing the key. Without a separate authentication step (like HMAC, applied correctly — a pattern called encrypt-then-MAC), a system using CBC alone has no way to tell legitimate ciphertext from tampered ciphertext.

GCM — confidentiality and authenticity together

Galois/Counter Mode combines encryption with a built-in authentication tag, so decryption fails loudly if even a single bit of the ciphertext has been altered. This class of construction is called authenticated encryption (AEAD), and it removes an entire category of implementation mistakes: there's no separate MAC step to forget, get the order of, or implement incorrectly. GCM is also a stream-cipher-style mode built on a counter, which makes it parallelizable and generally faster than CBC on modern hardware with AES-NI instruction support.

The one rule GCM doesn't forgive

GCM's security depends entirely on never reusing the same key/IV (nonce) pair. Reuse it once, and an attacker can recover the authentication key and forge messages — a much more severe failure than what happens if a CBC IV is reused. In practice this means always generating a fresh, random 96-bit IV per encryption operation, which is exactly what the Web Crypto API does automatically when you don't supply one yourself.

Which one to pick

For new work, default to AES-GCM. It gives you tamper detection for free, it's faster on modern CPUs, and it removes the “did I implement the MAC correctly” failure mode entirely. CBC is still fine when you're working with a system or library that only supports it and you pair it correctly with a MAC — but for anything greenfield, there's little reason to reach for it over GCM.

The Encrypt / Decrypt tool on this site supports both AES-256-CBC and AES-256-GCM, generating a fresh IV for every operation.

← Back to KeyForge