Skip to main content
When you request an export of password hashes or MFA secrets from your Auth0 tenant, the data is encrypted end-to-end with Pretty Good Privacy (PGP) before it leaves Auth0 systems. Only you, as the holder of the matching private key, can decrypt the exported data. This page covers the full process, from submitting your request to decrypting the export file.

Prerequisites

Before you submit a request, generate a PGP key pair that meets the following requirements:

Generate your PGP key pair

This section uses GnuPG (gpg), the standard command-line tool for OpenPGP. For other tools or advanced options, see the GnuPG manual.

Install GnuPG

Requires Homebrew. For other installation options, read the GnuPG download page.

Generate the key

Run the key generation command:
When prompted, provide the following values:
Recent versions of GnuPG default to ECC at the first prompt. You must explicitly select 1 (RSA and RSA). ECC and EDDSA keys are not supported by Auth0’s export validation.

Export your public key

After the key is generated, find its key ID and export the public key. Always reference the key by its key ID (not by email). gpg returns the first key matching the identifier you pass, so an email lookup can grab the wrong key if you generated more than one with the same address. List your keys:
The output includes a pub line followed by the 16-character key ID:
Export the public key by key ID in ASCII-armored format:
Replace YOUR_KEY_ID with the alphanumeric string shown under your pub line (for example, ABC123451E45G39A). The output file contains the full key block, including the armor headers:
Do not export or share your private key. Auth0 only needs your public key to encrypt the file.

Request process

1

Submit a support request

Open a support case requesting a password hash or MFA secrets export. Include the following in your request:
  • The specific tenant name.
  • Your PGP public key (the full ASCII-armored block from the previous section).
2

Wait for eligibility review

Auth0 reviews your request to determine eligibility. Not all requests qualify for an export.Auth0 does not provide ETAs for eligible exports because fulfillment depends on resource and access availability. If you have a required date, note it in your request.
3

Provide the required documentation

If your request is approved, Auth0 sends a requirements message asking for the following:
  1. Your authorization: a written acknowledgment that you approve the export from the tenant(s) in your request.
  2. An additional tenant admin confirmation: at least one other tenant administrator will be CC’d on the support case and must confirm the request. If you are the sole tenant administrator of a tenant, this step will be skipped.
  3. A signed acknowledgment form: the Hashed Password and MFA Secret Export Acknowledgment form must be signed by a CISO, CSO, or executive-level representative (VP or above) in your organization. Typed names are not accepted; a physical or digital signature is required. Upload the completed form to the support case.
If any of the above is missing or incomplete, your request may not be processed.
4

Wait for export preparation

After Auth0 receives all required documentation, we encrypt and export your tenant data with the PGP public key you provided.
5

Receive your secure download link

You receive an email containing a secure download link. The link:
  • Requires authentication as the user account that opened the support case. Other tenant administrators cannot download the file from this link.
  • Requires that user to still hold the tenant administrator role at the time of download. If they lose the role, the download is blocked and a new request must be submitted.
  • Expires after 3 days. Download the file before it expires. After expiration, you must submit a new request.
6

Download and decrypt

Download the encrypted file (.pgp or .gpg extension) and decrypt it with your PGP private key and the passphrase you set when generating the key:
Replace DECRYPTED_EXPORT_FILE with your desired output filename and ENCRYPTED_EXPORT_FILE.pgp with the name of the downloaded file.

Security reminders

  • Never share your private key or passphrase with anyone, including Auth0 or Okta support staff. Auth0 never asks for them.
  • Back up your private key and passphrase securely on an offline device. If lost, you cannot decrypt your export and must submit a new request.
  • Do not share the download link. Although the download requires the case creator to authenticate with an active tenant administrator role, treat the link as confidential.

Learn more