Detailed flowchart of data encryption using AES-256-GCM, covering key derivation with PBKDF2, plaintext encoding, and ciphertext generation.
graph LR;
pwd[Password]
salt[Salt]
kdf((PBKDF2))
key[Key]
pt_str["Plaintext<br/>(string)"]
pt_bin["Plaintext<br/>(binary)"]
ct_str["Ciphertext<br/>(string)"]
ct_bin["Ciphertext<br/>(binary)"]
iv[Initialization Vector]
adata[Associated Data]
atag[Authentication Tag]
cipher((AES-256-GCM))
codec((Encoder/<br/>Decoder))
b64enc((Base64<br/>Encoder))
pwd---salt
pt_str---salt
linkStyle 0,1 stroke-width:0px
pwd-->kdf
pt_str-->codec
subgraph sub_1 ["EncryptionService.encrypt()"]
direction LR
codec-->pt_bin
pt_bin-->cipher
salt-->kdf
kdf-->key
key-->cipher
iv-->cipher
adata-->cipher
cipher-->ct_bin
ct_bin-->b64enc
cipher-->atag
end
b64enc-->ct_strThis diagram illustrates the complete data encryption process using AES-256-GCM. It details how a password and salt are used with PBKDF2 to derive an encryption key, how plaintext is encoded, and then encrypted with AES-256-GCM using an Initialization Vector (IV) and Associated Data (ADATA). The final ciphertext and authentication tag are then Base64 encoded.
Use this diagram when designing or documenting secure data storage or transmission systems that rely on symmetric encryption like AES-256-GCM, especially when key derivation from a password is involved.
This flow can be adapted by replacing AES-256-GCM with a different symmetric cipher, changing the Key Derivation Function (KDF), or modifying the encoding/decoding steps. Additional steps like data compression, integrity checks, or key management services can also be integrated.