Decrypt Chrome & Edge cookies in your browser
2026-06-17 · 3 min
This is the practical companion to the two deep-dives on cookie encryption and the offline DPAPI chain. It walks through decrypting Chrome/Edge cookie values in the in-browser parser — no server, no upload, nothing leaves the tab.
What you need to collect
From the target profile and host:
| Input | Where it lives |
|---|---|
Cookies database | …\User Data\<Profile>\Network\Cookies |
Local State | …\User Data\Local State |
| DPAPI masterkey file | %APPDATA%\Microsoft\Protect\<SID>\<GUID> |
| User SID | the folder name under …\Protect\ |
| NT hash or password | NT hash from the SAM hive (boot key from SYSTEM) |
The masterkey GUID you need is shown in the tool after you load
Local State, so you can match it to the right file under \Protect\.
Two paths to the key
The decryptor offers two methods. Use whichever fits what you have.
A) You already have the AES key
If another tool already unwrapped the 32-byte os_crypt key, paste it
(hex or base64) and decrypt. Done.
B) Derive it here from the Windows files
This runs the whole DPAPI chain in the browser:
- Load the
Cookiesdatabase first. The table appears with an empty Decrypted value column and a decryption panel below it. - Add the decryption files. Drop
Local Stateonto the same drop zone — uploads accumulate, so your cookies stay put — or pick it directly in the panel. Then select the masterkey file. - Enter the SID and the secret. Choose NT hash or password and paste the value.
- Derive key & decrypt. The tool decrypts the masterkey (verifying its HMAC), unwraps the AES key, and fills in the Decrypted value column.
If the SID or secret is wrong, the masterkey HMAC fails and you get a clear error rather than silent garbage — a property of the DPAPI design, not the tool.
Reading the results
Decrypted values land in the cookies table next to host, name and the three
timestamps. Filter for the session or
token you care about, then export the table to CSV or JSON. A
__Secure-… auth cookie decrypted next to a download or visit row pins a
session hard.
Scope and limits
- v10 values decrypt fully with this flow. v20 (app-bound, Chrome 127+) needs the app-bound key, which is only partially recoverable from files — see the encryption deep-dive.
- Modern masterkeys only (AES-256). Legacy 3DES masterkeys are rejected with a message rather than mis-decrypted.
- Windows only. macOS Keychain and Linux keyring keys are a different acquisition problem.
- Don't forget the
-walsidecar next toCookies— drop it too so recently-set cookies aren't missed (why).