When we export the auth codes, the data is encrypted using a key derived from the user's password. This document describes the JSON structure used to organize exported data, including versioning and key derivation parameters.
{
"version": 1,
"kdfParams": {
"memLimit": 4096,
"opsLimit": 3,
"salt": "example_salt"
},
"encryptedData": "encrypted_data_here",
"encryptionNonce": "nonce_here"
}The main object used to represent the export data. It contains the following key-value pairs:
version: The version of the export format.kdfParams: Key derivation function parameters.encryptedData": The encrypted authentication data.encryptionNonce: The nonce used for encryption.
Export version is used to identify the format of the export data.
- KDF Algorithm:
ARGON2ID - Decrypted data format:
otpauth://totp/..., separated by a new line. - Encryption Algo:
XChaCha20-Poly1305
This section contains the parameters that were using during KDF operation:
memLimit: Memory limit for the algorithm.opsLimit: Operations limit for the algorithm.salt: The salt used in the derivation process.
As mentioned above, the auth data is encrypted using a key that's derived by using user provided password & kdf params.
For encryption, we are using XChaCha20-Poly1305 algorithm.
-
ente Authenticator app: You can directly import the codes in the ente Authenticator app.
Settings -> Data -> Import Codes -> ente Encrypted export.
-
Decryption Tool : You can download the prebuilt decryption tool (or build it from source) and run the following command.
./decrypt <export_file> <password> <output_file>