Skip to main content
When you request an export of password hashes or MFA secrets from your Auth0 tenant, the data is encrypted end-to-end with PGP (Pretty Good Privacy) before it leaves Auth0 systems. Only you, as the holder of the matching private key, can decrypt the exported data. This page covers the full process, from submitting your request to decrypting the export file.

Prerequisites

Before you submit a request, generate a PGP key pair that meets the following requirements:
RequirementValue
Key length4096 bits or greater
PassphraseStrong and unique — a randomly generated passphrase is strongly recommended
ExpirationSet an expiration date at least 7 days after the date of generation. To reuse the same key for repeat export requests, adjust the expiration accordingly.
To generate your key pair, follow the official GnuPG manual. After you generate the key pair, export your public key (.asc or .gpg file). You need the full key block, including the armor headers: 
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
Do not export or share your private key. Auth0 only needs your public key to encrypt the file.

Request process

1

Submit a support request

Open a support case requesting a password hash or MFA secrets export. Include the following in your request:
  • The specific tenant name.
  • Your PGP public key (the full key block from the prerequisites above).
2

Wait for eligibility review

The Auth0 team reviews your request to determine eligibility. Not all requests qualify for an export.Auth0 does not provide ETAs for eligible exports because fulfillment depends on resource and access availability. If you have a required date, note it in your request.
3

Provide the required documentation

If your request is approved, Auth0 sends a requirements message asking for the following:
  1. Your authorization — a written acknowledgment that you approve the export from the tenant(s) in your request.
  2. An additional tenant admin confirmation — at least one other tenant administrator must be CC’d on the support case and confirm the request.
  3. A signed acknowledgment form — the Hashed Password and MFA Secret Export Acknowledgment form must be signed by a CISO, CSO, or executive-level representative (VP or above) in your organization. Typed names are not accepted; a physical or digital signature is required. Upload the completed form to the support case.
If any of the above is missing or incomplete, your request may not be processed.
4

Export preparation

After Auth0 receives all required documentation, the Auth0 team exports the requested data from your tenant and encrypts it with the PGP public key you provided.
5

Receive your secure download link

You receive an email containing a pre-signed, secure download URL hosted on Amazon S3. This link:
  • Is accessible only to tenant administrators associated with the request.
  • Expires after 1 day. Download the file before it expires. After expiration, you must submit a new request.
6

Download and decrypt

Download the encrypted file (.pgp or .gpg extension) and decrypt it with your PGP private key and the passphrase you set when generating the key:
gpg --output DECRYPTED_EXPORT_FILE --decrypt ENCRYPTED_EXPORT_FILE.pgp
Replace DECRYPTED_EXPORT_FILE with your desired output filename and ENCRYPTED_EXPORT_FILE.pgp with the name of the downloaded file.

Security reminders

  • Never share your private key or passphrase with anyone, including Auth0 or Okta support staff. Auth0 never asks for them.
  • Back up your private key and passphrase securely on an offline device. If lost, you cannot decrypt your export and must submit a new request.
  • Do not share the download link publicly. The link is pre-signed and scoped to authorized tenant administrators.

Learn more