Skip to main content
To ensure the highest level of security and privacy for your data export, Auth0 uses PGP (Pretty Good Privacy) encryption. This guide walks you through the entire process, from generating your own secure keys to decrypting the data you receive from us.
This guide applies to password hash and MFA secret exports requested through Auth0 Support. Standard user exports through the Dashboard or Management API do not require PGP encryption.

What is PGP and why does Auth0 use it?

Think of PGP as a digital equivalent of a locked mailbox with two unique keys:
  1. Public Key: This is like the address and mail slot of your mailbox. You can share it freely with anyone who wants to send you a secure package. In this case, you will provide your public key to Auth0. We will use it to lock (encrypt) your data export so that only you can open it.
  2. Private Key: This is the only key that can unlock your mailbox. You must keep it secret and never share it with anyone, including Auth0 Support. You will use this key to unlock (decrypt) the data export we send you.
This system ensures that even if the encrypted file were intercepted, no one could access its contents without your secret private key.

Part 1: Generate your PGP key pair

To get started, you need to generate your own public and private key pair. This is a one-time setup that you will perform on your own computer. We recommend using GnuPG (or GPG), a free, open-source, and widely trusted software for PGP encryption. Here are the recommended versions for your operating system:
  • Windows: Gpg4win (includes a helpful graphical user interface called Kleopatra)
  • macOS: GPG Suite (integrates with macOS and includes GPG Keychain for key management)
  • Linux: GnuPG is typically pre-installed. You can manage keys via the command line or with a graphical tool like Seahorse

Step-by-step generation guide

The exact steps may vary slightly depending on your chosen tool, but the general flow is the same.
1
Install the software
2
Download and install the recommended PGP software for your operating system. Follow the on-screen installation instructions.
3
Launch key management
4
Open the key management application:
5
  • Windows: Launch Kleopatra
  • macOS: Open GPG Keychain
  • Linux: Use terminal or Seahorse
    • 6
    This is where you will create and manage your keys.
    7
    Create a new key pair
    8
    Find the option to create a New Key Pair or New Certificate.
    9
    Enter your details
    10
    You will be prompted to enter:
    11
  • Your name
  • The email address you are using for this support request
    • 12
    This information helps identify the key but does not affect the security of the encryption.
    13
    Set a strong passphrase
    14
    You will be asked to create a passphrase for your private key.
    15
    This is a critical security step. Treat this like a master password. Use a long, complex, and unique passphrase that you will not forget. It is required every time you use your private key.
    16
    Set key parameters
    17
    In the Advanced Settings (if available), ensure the following are selected for maximum security:
    18
  • Key Type: RSA
  • Key Length: 4096 bits
    • 19
    The default settings are often sufficient, but verifying these parameters ensures compliance and strong encryption.
    20
    Generate the keys
    21
    Finalize the process. The software may ask you to move your mouse or type randomly to generate entropy for the key.
    22
    Your public and private keys are now created and stored securely on your computer.
    23
    Export your public key
    24
    Find your new key in the list, right-click it, and select Export.
    25
    This will save a file (e.g., mykey.asc or mykey.gpg).
    26
    This is the public key file you will send to Auth0 Support. Do NOT select any option that mentions exporting a “secret” or “private” key.

    Part 2: Decrypt your data export

    Once Auth0 Support has processed your request, we will send you a link to download a single encrypted file.

    Step-by-step decryption guide

    1
    Download the file
    2
    Download the encrypted export file from the secure URL we provide.
    3
    The file will have an extension like .pgp or .gpg and will be unreadable in its encrypted state.
    4
    Decrypt the file
    5
    On most systems with PGP software installed, you can simply right-click the file and select the Decrypt or Decrypt and Verify option.
    6
    Alternatively, you can open your PGP application and drag the file into it.
    7
    Enter your passphrase
    8
    The software will prompt you for the passphrase you created for your private key.
    9
    This is the passphrase you set during the key generation process.
    10
    Save the decrypted file
    11
    Upon entering the correct passphrase, the software will decrypt the contents and ask you where to save the final, readable file.
    12
    The decrypted file will contain your exported data in a usable format.

    Important security reminders

    NEVER share your private key or your passphrase with anyone, including Auth0 Support staff. We will never ask for them.
    • Store a secure backup of your private key and its passphrase in a password manager or an offline device. If you lose your private key, you will permanently lose the ability to decrypt your data.
    • The public key is safe to share. It cannot be used to decrypt your data.
    • If you suspect your private key has been compromised, generate a new key pair immediately and notify Auth0 Support.

    Additional resources

    For information about password hash formats and bcrypt processing, see:

    Learn more