How is the private key stored?

Your ProtonMail private key is generated in your browser. Before sending the private key to the server for storage, we encrypt it with your password (or mailbox password if you use two-password mode). This ensures that you and only you can use your private key.

To protect your private key we first use bcrypt to create a hash of your password, using a randomly generated salt that differs for each user. The result is then used to encrypt your private key with AES-256. By hashing it with bcrypt first, we make it much slower for anyone who tries to guess your password to decrypt your private key. We use a different salt for each user, which means that an attacker trying to obtain passwords by brute force will only be able to target one user at a time, further slowing them down.

In general, to protect your private key from being leaked the best approach is to choose a strong password.

Rate This Article

(4 out of 11 people found this article helpful)
Post Comment

23 comments

  1. Sandeep

    In theory someone else who breaks in to my laptop and uses the browser could access this private key. Where is this private key stored in the brower’s local files, and is it recommended to delete this key manually after a Protonmail web mail session?

  2. ProtonMail Support

    Logging out will delete it.

  3. ewhylie

    If logging-out deletes a private key, why is this factoid not included in the ‘LOG OUT’ button ?? Eg:
    ” LOG OUT (Deletes session’s priv key for your safety) ?
    My guess is that less than 1% of users might understand that this is done…

  4. ProtonMail Support

    Closing your browser without logging out will also delete your key.

  5. Pedro

    What if I just “X” out of the window without using the Logoff method, will the will still be deleted?

  6. ProtonMail Support

    Yes, closing the window using “X” will also delete the key.

  7. Lori Pelletier

    I have a recovery code to reset my password and it is not working.

  8. ProtonMail Support

    Please contact our support team at contact@protonmail.com or using the support form at https://protonmail.com/support-form.

  9. Marvin Switzer

    I had a phone crash and cannot access my account. I had two factor authentication installed and can’t seem to use the authentication programs to receive an authentication code. My alternative email is (hidden).

  10. ProtonMail Support

    Please contact our support team at contact@protonmail.com or using the support form at https://protonmail.com/support-form.

  11. Anonymous

    Are my password and encrypted private key stored on ProtonMail servers?
    If so, is my password encrypted as well?
    Would it be possible for a hacker to get my password so he/she could access to my private key?

  12. Rick

    Had to reinstall win7, now I cannot log in.

  13. ProtonMail Support

    Please contact our support team at contact@protonmail.ch, via the report bug button or using the support form at https://protonmail.com/support-form.

  14. scpskr

    Can a private key be downloaded for addition to another key chain?

  15. ProtonMail Support

    No, for now only public keys can be downloaded.

  16. Denis English

    Does my recipient need either key to open emails I send them from proton mail. Someday I am going to understand all this.

  17. ProtonMail Support

    If sending to another ProtonMail user, the message is automatically encrypted with the recipient’s key and there is no need for any further action.
    If sending to a non-ProtonMail user, you can either send an unencrypted message (not end-to-end encrypted, but encrypted with TLS) or you can use the “Encrypt for outside” option: https://protonmail.com/support/knowledge-base/encrypt-for-outside-users/.

  18. meliflous

    What prevents private key being stored by the key creator elsewhere? Can I regenerate the key or upload my own where only I know the password (aside from NSA’s RSA backdoor)?

  19. ProtonMail Support

    The ability to upload your own private keys will be available once full PGP support is added to ProtonMail.

  20. Timoteo

    My mailbox password is rendered invalid (error message drop-down box) each time it gets used. This happened to the real recipient and to my other address within another email provider. The password works once, then it’s deleted(?), even when proton mail has not been shut down/interrupted.

  21. ProtonMail Support

    Can you please contact our support team using the support form: https://protonmail.com/support-form, at contact@protonmail.ch or support@protonmail.ch with more details?

  22. Anonymous

    How was the proper UID added to my pub key(s) i recently downloaded? If i remember correctly, at the beginning of ProtonMail when the service came alive, the one pub key had only a UID like user@protonmail.ch, now i have two pub keys with my surname.name@protonmail.ch or surname.name@protonmail.com

  23. ProtonMail Support

    The public keys are meant for sharing, and this is why the email address is included in the filename. You can always rename the file after you download it.

Leave A Comment?