Proton’s mission is to build a better internet where privacy is the default. To do that, we’ve built all our services around end-to-end encryption. This type of encryption makes it impossible for anyone to access your information besides you and the people you share it with. Whether you’re using Proton Mail (our encrypted email service), Proton Drive (our encrypted file storage service), or any of our other services, your data is encrypted on your device before it reaches our servers, meaning not even we can access your data.
This is good for your privacy but can make data recovery difficult if you forget your password. Most other services can restore your data to your account because they can easily access it whenever they want. This isn’t an option at Proton. Any recovery system we use must maintain your privacy, which means we must develop recovery methods that are compatible with end-to-end encryption and prevent our servers from ever having access to your information. This is an additional difficulty that most other online services don’t need to worry about, but we view it as an integral part of building an internet where privacy is the default.
Making it possible to recover data if you forget your password is one of the toughest technical challenges presented by our use of end-to-end encryption, and we had to develop several innovative solutions. We rolled these technologies out some time ago, but many people have asked us how they work, so today we’re explaining how we enable data recovery with end-to-end encryption.
Why is data recovery technically difficult?
To protect your privacy Proton uses multiple layers of encryption. Security at Proton starts with account authentication. We use a protocol known as Secure Remote Password (SRP), which mutually authenticates both the user and server without ever sending any password-equivalent data over the network. Authentication attempts cannot be replayed, and the protocol remains secure even if a third party is actively trying to tamper with it. Proton was one of the first organizations to adopt SRP at scale, and we’ve made a number of implementation improvements to make SRP even more secure.
This system prevents anyone, including Proton, from being able to decrypt or access your encryption keys (and consequently your data) without your password. However, using SRP means that password resets also reset your encryption keys. When you generate a new password, you generate new encryption keys that are encrypted using a secret derived from your new password. Since your original encryption key(s) are still encrypted using your original password, they can’t be decrypted without your old password. If your original encryption key(s) can’t be decrypted, they can’t be used, and all the data that was encrypted using those key(s) can’t be decrypted either.
To recover your data, we would need one of the following two things:
- Your original password that was used to encrypt your original contact encryption key
- A backup of your original contact encryption key
Since we cannot store your password without invalidating our privacy protections (and since it’s unlikely anyone will remember a password once they’ve forgotten it), another solution is required.
Recovering end-to-end encrypted data after a password reset
Proton’s innovative data recovery system works around the problem we just described by enabling you to easily create two types of backups of your encryption keys:
- Recovery phrase
- Recovery file
We will explain each of the following methods in greater detail below.
These methods ensure that your encryption keys are protected so that only you can use them and that Proton servers never have access to them. This way, we don’t compromise the core end-to-end encryption promise behind our services, such as Proton Mail, Proton Drive, etc.
When you create a Proton account, we automatically generate a recovery phrase that makes it possible to recover your encrypted data if you ever lose your password. Your recovery phrase is essentially a second password used to encrypt a copy of your encryption key. When you reset your account password using your recovery phrase, you don’t lose any data because you’re decrypting a backup copy of your encryption key.
Because recovery phrases act as a secondary password (and because it allows you to bypass 2FA to change your password and access your account), you must store your recovery phrase in a secure, secret location.
Generation of the recovery phrase
Proton uses the following process when generating a new recovery phrase:
- The Proton client on your device generates random bytes using a cryptographically secure pseudo-random number generator.
- The Proton client uses the random bytes to encrypt the contact encryption keys.
- The Proton client sends the encrypted contact encryption keys to the Proton server.
- The Proton client uses a simplified Bip39 implementation(new window) to generate a recovery phrase made up of English words from the random bytes.
The recovery phrase is generated entirely by the Proton client on your device and is never stored on the server. To let the recovery phrase grant access to your account, we store a verifier of the recovery phrase on the server that allows us to validate it without knowing its content.
Data recovery using the recovery phrase
Once you’ve generated and stored your recovery phrase, you can recover all your data if you ever lose your password. Upon entering your recovery phrase, the following takes place:
- The Proton server validates the recovery phrase using an SRP 6a verifier. This doesn’t leak the recovery phrase to the server. If the verification is successful, the server returns the backup contact encryption key that was encrypted using the recovery phrase.
- The Proton client on your device uses Bip39 to get the random bytes from the recovery phrase.
- The Proton client decrypts the backup encryption key copy using the random bytes.
- When you set a new password, the Proton client then re-encrypts the encryption key using your new account password and uploads it to the server.
Because we don’t generate any new encryption keys during this process, any data recovery methods implemented before the password reset remain usable. You can use this procedure with all Proton apps (for example, Proton Mail, Proton Drive, etc.) using the password reset/account recovery feature.
You can also have Proton generate a recovery file that you download. This recovery file is a local encrypted backup of your encryption key. It can be used to recover any data encrypted with your original encryption key. The best way to illustrate how the recovery file works is by comparing it to the account password.
The account password is the "client secret" used to encrypt your encryption key. The encryption key is then stored on the Proton server.
For the recovery file, this relationship is reversed.
The Proton server holds the secret used to encrypt your recovery file. The recovery file is then stored on your device and never seen by our servers.
The Proton server can’t obtain your encryption key without the recovery file. Furthermore, because the recovery file itself is encrypted, even if an attacker obtains your recovery file, they can’t use it to access your encryption keys. Finally, since the encrypted recovery file has no identifier, the attacker can’t automatically find which account it belongs to.
Generation of the recover file
When Proton generates a recovery file, the following occurs:
- The Proton client on your device generatesrandom bytes using a cryptographically secure pseudo-random number generator. These random bytes serve as the secret.
- The Proton client signs the secret using your encryption key.
- The Proton client uses the secret to encrypt a backup copy of your encryption key.
- The secret with the signature is uploaded to the Proton server. The signature ensures that the client-generated secret isn’t tampered with and that the server never changes it.
- The Proton client exports the encrypted backup copy of your encryption key as an ASC file. This is your recovery file.
Data recovery using the recovery file
If you plan on using this method, you should generate a recovery file as soon as possible to ensure you can recover all your data. The following occurs when you use a recovery file to recover your data:
- You import your recovery file to the Proton client on your device.
- The Proton client attempts to decrypt the file using the signed secret from Proton’s server. Once the file is decrypted, the Proton client will have access to a backup copy of your encryption key, which it can use to recover your data.
Making privacy easy to use
Our goal is to make Proton services as easy to use as the competing services from Big Tech. We believe that everybody has the right to privacy and that services that protect your privacy should be easy to use and full of helpful features. This has been Proton’s approach since the very beginning.
Our innovative recovery methods give you the same data recovery possibilities as Big Tech’s non-private services while still protecting your data with Proton’s end-to-end encryption that ensures nobody other than you can access it. As always, let us know if you have any thoughts or comments, as we’re here to serve you and build the services you want.