Skip to content
Kordu Tools Kordu Tools

RSA Encrypt

Runs in browser

Encrypt text with RSA-OAEP using a public key in your browser. Generate RSA-2048 or RSA-4096 key pairs. Max ~190 bytes plaintext. Nothing uploaded.

Last updated 02 Apr 2026

Generate an RSA key pair or paste a PKCS#8 PEM public key, enter your plaintext (up to ~190 bytes for RSA-2048), and encrypt. The Base64 ciphertext can only be decrypted with the matching private key. Fully browser-based via WebCrypto — nothing is uploaded.

Note: RSA can only encrypt small amounts of data (up to ~200 bytes for RSA-2048). For large data, use AES and encrypt the AES key with RSA.

Never share your private key.

Key Pair

For large data encryption, use the AES Encrypt tool instead.
Loading rating…

How to use

  1. 1

    Generate or provide a key pair

    Click 'Generate Key Pair' to create a new RSA-2048 or RSA-4096 key pair, or paste an existing PKCS#8 / SPKI PEM public key into the Public Key field.

  2. 2

    Select Encrypt mode

    Ensure the 'Encrypt' tab is active.

  3. 3

    Choose the hash algorithm

    Select SHA-256 (default and recommended), SHA-384, or SHA-512. The recipient must use the same algorithm when decrypting.

  4. 4

    Enter plaintext

    Type the text to encrypt. RSA-2048 supports up to 190 bytes of plaintext. Use AES encryption for larger payloads.

  5. 5

    Click Encrypt

    The Base64-encoded ciphertext appears in the output panel.

  6. 6

    Save the private key securely

    Copy and securely store the private key — it is the only way to decrypt the ciphertext. Never share it or store it alongside the ciphertext.

Frequently asked questions

What is RSA encryption?
RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem first published in 1977. Encryption uses the public key; only the corresponding private key can decrypt. It is widely used for key exchange in TLS, digital signatures (JWT, SSH, code signing), and encrypting small payloads.
Is this tool safe? Are inputs sent to a server?
No data is uploaded. Key generation and encryption run entirely in your browser using the WebCrypto API. There are zero network requests.
What is the maximum data size I can encrypt with RSA?
RSA-OAEP with SHA-256 and RSA-2048 supports a maximum plaintext of 190 bytes. RSA-4096 supports up to 446 bytes. For larger data, use hybrid encryption: encrypt the payload with AES and use RSA to encrypt only the AES session key.
What is RSA-OAEP?
RSA-OAEP (Optimal Asymmetric Encryption Padding) is the secure padding scheme for RSA encryption, defined in PKCS#1 v2.2 and required by NIST SP 800-131A. It is far more secure than the obsolete PKCS#1 v1.5 padding. The WebCrypto API only supports OAEP.
What is the difference between RSA-2048 and RSA-4096?
RSA-4096 provides a 4096-bit key modulus vs 2048-bit, making factoring the key harder. RSA-2048 is considered secure through at least 2030. RSA-4096 is 4–8× slower for key generation and operations — it provides a higher security margin at a performance cost.
Can I use my own RSA key pair?
Yes. Paste any RSA public key in SPKI PEM format (begins with -----BEGIN PUBLIC KEY-----) into the Public Key field. The key must be an RSA key compatible with OAEP padding.
How do I decrypt the output?
Use the RSA Decrypt tool with the matching private key in PKCS#8 PEM format and the same hash algorithm selected during encryption.
Is the private key stored anywhere?
No. The private key is generated and lives only in browser memory for the session. It is never stored, logged, or transmitted. Copy and save it to a secure location yourself.
What is hybrid encryption and when should I use it?
Hybrid encryption combines RSA and AES: generate a random AES-256 key, encrypt your payload with AES-GCM, then encrypt the AES key with RSA. This allows you to securely transmit arbitrarily large data using RSA's public-key model without RSA's size limits.

Encrypt text using RSA-OAEP asymmetric encryption directly in your browser.

All key generation and encryption run locally via the WebCrypto API. No

data is transmitted.

**RSA (Rivest–Shamir–Adleman)** is a public-key cryptosystem. Anyone with

the public key can encrypt; only the holder of the corresponding private key

can decrypt. This makes RSA ideal for key exchange and secure message

delivery without a pre-shared secret.

**This tool supports:**

- **Key generation:** RSA-2048 or RSA-4096 key pairs in PKCS#8 / SPKI PEM

- **Hash algorithms:** SHA-256 (recommended), SHA-384, SHA-512

- **Scheme:** RSA-OAEP (Optimal Asymmetric Encryption Padding)

- **Output:** Base64-encoded ciphertext compatible with the RSA Decrypt tool

**Size limit:** RSA-OAEP with SHA-256 on a 2048-bit key supports a maximum

of 190 bytes of plaintext. RSA-4096 supports up to 446 bytes. For larger

data, use hybrid encryption: encrypt the payload with AES and use RSA to

encrypt only the AES key.

**Privacy:** Key generation and encryption run entirely in your browser.

Private keys are never transmitted or stored.

Related tools

RSA Decrypt

Decrypt RSA-OAEP ciphertext with your PEM private key in the browser. Supports RSA-2048 and RSA-4096. Private key never transmitted.

AES Encrypt

Encrypt text with AES-256-GCM, AES-CBC, AES-CTR, or AES-ECB in your browser. PBKDF2 key derivation, random IV, zero uploads.

SHA-256 Hash Generator

Generate SHA-256 hashes from text instantly. WebCrypto hardware-accelerated, real-time output. Used in Bitcoin, TLS, and digital signatures. Zero uploads.

Base64 Encoder

Encode text or binary files to Base64 or Base64URL. Supports MIME line wrapping, data URIs, and files up to 50 MB. Fully browser-based.

Password Generator

Generate cryptographically secure passwords with custom length (8–128), character sets, entropy display, and exclude-ambiguous option. Runs in your browser.

Learn more

API Authentication Methods Compared: OAuth, JWT, API Keys

Compare API authentication methods with real HTTP examples. OAuth 2.0, JWT, API keys, and session tokens explained. 78% of breaches involve weak auth.