ProtonBlog(new window)

How data recovery works with end-to-end encryption

Share this page

Proton’s mission is to build a better internet where privacy is the default. To do that, we’ve built all our services around end-to-end encryption. This type of encryption makes it impossible for anyone to access your information besides you and the people you share it with. Whether you’re using Proton Mail (our encrypted email service), Proton Drive (our encrypted file storage service), or any of our other services, your data is encrypted on your device before it reaches our servers, meaning not even we can access your data.

This is good for your privacy but can make data recovery difficult if you forget your password. Most other services can restore your data to your account because they can easily access it whenever they want. This isn’t an option at Proton. Any recovery system we use must maintain your privacy, which means we must develop recovery methods that are compatible with end-to-end encryption and prevent our servers from ever having access to your information. This is an additional difficulty that most other online services don’t need to worry about, but we view it as an integral part of building an internet where privacy is the default.

Making it possible to recover data if you forget your password is one of the toughest technical challenges presented by our use of end-to-end encryption, and we had to develop several innovative solutions. We rolled these technologies out some time ago, but many people have asked us how they work, so today we’re explaining how we enable data recovery with end-to-end encryption. 

Why is data recovery technically difficult?

To protect your privacy Proton uses multiple layers of encryption. Security at Proton starts with account authentication. We use a protocol known as Secure Remote Password (SRP), which mutually authenticates both the user and server without ever sending any password-equivalent data over the network. Authentication attempts cannot be replayed, and the protocol remains secure even if a third party is actively trying to tamper with it. Proton was one of the first organizations to adopt SRP(new window) at scale, and we’ve made a number of implementation improvements to make SRP even more secure.

This system prevents anyone, including Proton, from being able to decrypt or access your encryption keys (and consequently your data) without your password. However, using SRP means that password resets also reset your encryption keys. When you generate a new password, you generate new encryption keys that are encrypted using a secret derived from your new password. Since your original encryption key(s) are still encrypted using your original password, they can’t be decrypted without your old password. If your original encryption key(s) can’t be decrypted, they can’t be used, and all the data that was encrypted using those key(s) can’t be decrypted either.

To recover your data, we would need one of the following two things:

  • Your original password that was used to encrypt your original account key
  • A backup of your original account key

Since we cannot store your password without invalidating our privacy protections (and since it’s unlikely anyone will remember a password once they’ve forgotten it), another solution is required. 

Recovering end-to-end encrypted data after a password reset

Proton’s innovative data recovery system works around the problem we just described by enabling you to easily create two types of backups of your encryption keys:

  • Recovery phrase
  • Recovery file

We will explain each of the following methods in greater detail below.

These methods ensure that your encryption keys are protected so that only you can use them and that Proton servers never have access to them. This way, we don’t compromise the core end-to-end encryption promise behind our services, such as Proton Mail, Proton Drive, etc. 

Recovery phrase

When you create a Proton account, we automatically generate a recovery phrase that makes it possible to recover your encrypted data if you ever lose your password. Your recovery phrase is essentially a second password used to encrypt a copy of your encryption key. When you reset your account password using your recovery phrase, you don’t lose any data because you’re decrypting a backup copy of your encryption key.

Because recovery phrases act as a secondary password (and because it allows you to bypass 2FA to change your password and access your account), you must store your recovery phrase in a secure, secret location. 

Generation of the recovery phrase

Proton uses the following process when generating a new recovery phrase:

  • The Proton client on your device generates random bytes using a cryptographically secure pseudo-random number generator.
  • The Proton client uses the random bytes to encrypt the account keys.
  • The Proton client sends the encrypted account keys to the Proton server.
  • The Proton client uses a simplified Bip39 implementation(new window) to generate a recovery phrase made up of English words from the random bytes.

The recovery phrase is generated entirely by the Proton client on your device and is never stored on the server. To let the recovery phrase grant access to your account, we store a verifier of the recovery phrase on the server that allows us to validate it without knowing its content.

Data recovery using the recovery phrase

Once you’ve generated and stored your recovery phrase, you can recover all your data if you ever lose your password. Upon entering your recovery phrase, the following takes place: 

  • The Proton server validates the recovery phrase using an SRP 6a verifier. This doesn’t leak the recovery phrase to the server. If the verification is successful, the server returns the backup account key that was encrypted using the recovery phrase.
  • The Proton client on your device uses Bip39 to get the random bytes from the recovery phrase.
  • The Proton client decrypts the backup account key copy using the random bytes.
  • When you set a new password, the Proton client then re-encrypts the account key using your new account password and uploads it to the server.

Because we don’t generate any new encryption keys during this process, any data recovery methods implemented before the password reset remain usable. You can use this procedure with all Proton apps (for example, Proton Mail, Proton Drive, etc.) using the password reset/account recovery feature.

Recovery file

You can also have Proton generate a recovery file that you download. This recovery file is a local encrypted backup of your encryption key. It can be used to recover any data encrypted with your original encryption key. The best way to illustrate how the recovery file works is by comparing it to the account password.

The account password is the "client secret" used to encrypt your encryption key. The encryption key is then stored on the Proton server.

For the recovery file, this relationship is reversed.

The Proton server holds the secret used to encrypt your recovery file. The recovery file is then stored on your device and never seen by our servers.

The Proton server can’t obtain your encryption key without the recovery file. Furthermore, because the recovery file itself is encrypted, even if an attacker obtains your recovery file, they can’t use it to access your encryption keys. Finally, since the encrypted recovery file has no identifier, the attacker can’t automatically find which account it belongs to. 

Generation of the recover file

When Proton generates a recovery file, the following occurs:

  • The Proton client on your device generatesrandom bytes using a cryptographically secure pseudo-random number generator. These random bytes serve as the secret.
  • The Proton client signs the secret using your encryption key.
  • The Proton client uses the secret to encrypt a backup copy of your encryption key.
  • The secret with the signature is uploaded to the Proton server. The signature ensures that the client-generated secret isn’t tampered with and that the server never changes it.
  • The Proton client exports the encrypted backup copy of your encryption key as an ASC file. This is your recovery file.

Data recovery using the recovery file

If you plan on using this method, you should generate a recovery file as soon as possible to ensure you can recover all your data. The following occurs when you use a recovery file to recover your data:

  • You import your recovery file to the Proton client on your device.
  • The Proton client attempts to decrypt the file using the signed secret from Proton’s server. Once the file is decrypted, the Proton client will have access to a backup copy of your encryption key, which it can use to recover your data.

Making privacy easy to use

Our goal is to make Proton services as easy to use as the competing services from Big Tech. We believe that everybody has the right to privacy and that services that protect your privacy should be easy to use and full of helpful features. This has been Proton’s approach since the very beginning.

Our innovative recovery methods give you the same data recovery possibilities as Big Tech’s non-private services while still protecting your data with Proton’s end-to-end encryption that ensures nobody other than you can access it. As always, let us know if you have any thoughts or comments, as we’re here to serve you and build the services you want.

Protect your privacy with Proton
Create a free account

Share this page

Jack Crompton(new window)

Jack is a front-end engineer in Proton's Web Core team. He has a background in mathematics and is committed to making a private and free internet a reality. Before joining Proton, he worked with researchers at the University of Warwick to develop a language analysis tool.

Related articles

How to share a PDF
Sharing a PDF with coworkers, friends, or family members can sometimes be trickier than it seems if you’re trying to share a large file or if you want to use secure encryption. In this article, we show you how to share any PDF quickly, easily, and se
Proton Pass for Windows
Proton Pass is launching its new app for Windows, allowing you to access our password manager from your desktop. As one of our community’s most requested features, it’s available to everyone starting today. Proton Pass is the centerpiece of our effo
password policy
Businesses are increasingly dealing with the fallout from cybercrime: The number of attacks is on the rise and the damage done is growing exponentially. One of the most common vulnerabilities for organizations are their passwords. Since they are your
How to free up disk space
If you’ve ever owned an electronic device of any kind, you know the struggle of running out of space. No matter if it’s a smartphone, laptop, or desktop computer, there never seems to be enough room for all your files. Let’s show you some simple ways
What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m