How to export my Protonmail private key?

Question

From: https://github.com/scastiel/protonmail-export

1) Open the ProtonMail app and log out completely. You should now see the login screen.

2) Open the dev tools of your browser, and the Network tab to see all network calls.

3) Enter your username and password and click Login button. You won't need to go further.

4) In the network calls, find the one to “/api/auth”. There may be several ones, be sure to pick the one with “POST” request method, not the “DELETE” one (which doesn't contain any info anyway).

5) In this network call, open the Response tab to see raw data returned from the server, find the line beginning with "PrivateKey":, and copy the rest of the line, from "-----BEGIN PGP PRIVATE KEY to the last ", without the trailing comma.

6) Open the Console tab of the dev tools, type console.log(<PASTE THE COPIED CONTENT HERE>) then press enter.

7) Copy the result of the command, and put it into a text file, that's it you have your private key!

But I am stuck at "6)". The

console.log("-----BEGIN PGP PRIVATE KEY B........----")

part doesn't output anything (the "...." part is of course censored).

So now.. I can format by hand the private key to look like a private key, I can even import it with "seahorse"! I thought I winned the game, but... when I try to:

gpg --encrypt --sign --armor -r foobar@protonmail.ch message.txt

It asks for a GPG key password. I use a password manager, so I copy/paste the MAILBOX password that I use, but here is the catch: it doesn't accepts it!

Question: What am I missing?

I also asked scastiel via mail, posting the answer here if he replies, but maybe someone else knows the solution too.

In step "5)" I can see that there is a line named "KeySalt".. maybe Protonmail introduces salt after the howto from scastiel?

Protonmail support wont help on exporting the private keys.

UPDATE: I wrote "MAILBOX" password, that means I still use Protonmail with two passwords: one for login, and one mailbox pw for the "decryption".

Answer 1

The password for your private key is now the hashed value of your Mailbox Password (if you are using 2 passwords) or of your Login Password (if only using one password). You must now also get the KeySalt value and use bcrypt to get the hash value.

I followed the steps listed here to download my private key password using Firefox: https://github.com/scastiel/protonmail-export/issues/6

1. Login to ProtonMail
2. Get the salt value from the same cookie response as the GPG private key:
3. Switch to the console tab in the developer options
4. Run the following, but replace < LOGIN PASSWORD OR MAILBOX PASSWORD > and < KEYSALT FROM STEP 2 > with their corresponding values: password = "<LOGIN PASSWORD OR MAILBOX PASSWORD>"; salt ="<KEYSALT FROM STEP 2>"; saltBinary = pmcrypto.binaryStringToArray(pmcrypto.decode_base64(salt)); keySalt = dcodeIO.bcrypt.encodeBase64(saltBinary, 16); bcryptKey = dcodeIO.bcrypt.hashSync(password, '$2y$10$' + keySalt); key = bcryptKey.slice(29); console.log(key);
5. The console output is the password for your private key

Answer 2

I wrote this tutorial about how to export your private key. At the time it was written ProtonMail didn't have the functionality of "single password" authentication. You had to use a first password to unlock your account (your ProtonMail password), then your private key password to unlock your key.

I'm guessing exporting private key does not work anymore if you activated single password authentication (which might be be the default for new accounts). This key is calculated from the ProtonMail password I guess, I don't know how to find it, but there must be a way…

Answer 3

If you're using two password mode, this should still work.

If you're using single password mode, the private key password is not your login password. If you want, you can see how it is generated here: https://github.com/ProtonMail/WebClient/blob/public/src/app/authentication/services/passwords.js#L29

Basically the login password and the salt returned by the server are hashed using bcrypt. The result is the private key password.

EDIT: even if you're using two password mode, your mailbox password is hashed with bcrypt, just like the single password mode.

Answer 4

ProtonMail does not provide (yet) a way to export your e-mails, like an IMAP access or any export option. That would be very nice, for several usages:

back up your e-mails, in case of a massive nuclear explosion near ProtonMail's servers; move your e-mails to another mail provider if you're not satisfied with ProtonMail; etc. Additionaly, I strongly believe that every service on the Internet, no matter how great it is, and especially if you pay for it, should be easy to leave for another.

It's still possible, but you'll be forced to use undocumented ProtonMail API, proceeding by retro-engineering. This small program will make the process very easier for you, although not fully automated.

Of course, I hope that very soon this program won't be necessary anymore because ProtonMail will provide such an option :)

Features

Implemented:

Export your e-mails (decrypted) to local EML files you can then import in another mail client. Fetches your e-mails from Inbox, Sent and Archives folder. Not implemented yet:

Export attached files.

Installation

You'll need to have Node.js installed on your system, with its package manager npm.

To install the program run the following command:

npm install -g protonmail-export

How to download your ProtonMail private key?

ProtonMail stores an encrypted version of your private key on its servers. From the settings pane of your account you can download your public key; unfortunately you cannot download your private key. The good news: you can very easilly find it using the development tools of your browser. Here's how:

1.Open the ProtonMail app and log out completely. You should now see the login screen.

2.Open the dev tools of your browser, and the Network tab to see all network calls.

3.Enter your username and password and click Login button. You won't need to go further.

4.In the network calls, find the one to “/api/auth”. There may be several ones, be sure to pick the one with “POST” request method, not the “DELETE” one (which doesn't contain any info anyway).

5.In this network call, open the Response tab to see raw data returned from the server, find the line beginning with "PrivateKey":, and copy the rest of the line, from "-----BEGIN PGP PRIVATE KEY to the last ", without the trailing comma.

6.Open the Console tab of the dev tools, type console.log(<PASTE THE COPIED CONTENT HERE>) then press enter.

7.Copy the result of the command, and put it into a text file, that's it you have your private key!

Note that the private key is encrypted with your ProtonMail's account's secret passphrase (the one you enter after login, the second password). So the private key you have now is not sufficient to decrypt your mail if someone steals it; however try to keep it somewhere secure ;)

How to export your e-mails?

First you'll need several elements:

.Your ProtonMail's account private key (see the appendice below), let's put it in a file named private-key.txt for instance.

.The passphrase used to encrypt this private key (i.e. the second password you enter while signing in).

.Some technical information about a session opened on ProtonMail. Let's get the information mentionned in the last point.

Note: these instructions are for Chrome/Chromium browser, but this shouldn't be very different for other browsers.

1-First open a new session with your ProtonMail's account, and make sure your browser development tools are open. If they weren't open on page load, just open them and reload the page.

2-In the Network tab of the development tools, locate the call to /api/users URL, and more specifically the Request Headers section to this call.

3-Copy-paste somewhere the value of these two headers: Cookie (begins with ”AUTH-”) and x-pm-session (32 alphanumeric characters). Once you have all this elements, you can finally export your mails by running the command:

protonmail-export -i "<session_id>" -c "<cookie>" -p <path_to_private_key_file> <output_directory>

For instance this might look like this: (note that the output directory must already exist)

protonmail-export -i "95bc88ea1e94e25357e12a433e9b5ee5" -c "AUTH-95bc88(...); NOTICE-ae3cce(...)=true" -p ~/private-key.txt ~/protonmail-messages

You'll be asked for your passphrase to decrypt your private key. Then you'll get in the output directory one file for each of your emails. It's possible with most of mail clients to read and import these file to an existing mailbox.

Answer 5

I wrote a little script that extract the private key passphrase based on the MailBoxPassword and the KeySalt.

You just need to edit the index.js file