Authenticated encryption modes like AES-GCM require a unique nonce for each encryption under the same key. The AEAD interface in RFC 5116 is explicit: nonces must be distinct for each invocation, unless you are using a very specific zero-length nonce approach. In practical product design, that means treating nonce generation as a first-class system and never reusing it across messages.

NIST is currently revising SP 800-38D (the GCM recommendation). The announced changes include removing support for authentication tags shorter than 96 bits. That’s a signal that short tags are no longer considered acceptable for modern usage. For product defaults, stick to 128-bit tags unless you have a strong, well-reviewed reason to do otherwise.

In privacy tools, local encryption brings a second benefit: it reduces your operational exposure. When encryption happens on device, servers never see plaintext. But that only helps if your crypto usage is disciplined. A minimal checklist we use internally:

• Unique nonce per message and per key.
• At least 96-bit tags, with 128-bit as a default.
• Key rotation strategy for long-lived devices.
• Explicit failure handling for authentication errors.

When these guardrails are in place, AES-GCM is a strong fit for end-to-end encryption in lightweight tools. The work is less about the algorithm and more about operational discipline.