browserforensics
Back to all articles

Decrypt Chrome & Edge cookies in your browser

2026-06-17 · 3 min

This is the practical companion to the two deep-dives on cookie encryption and the offline DPAPI chain. It walks through decrypting Chrome/Edge cookie values in the in-browser parser — no server, no upload, nothing leaves the tab.

What you need to collect

From the target profile and host:

InputWhere it lives
Cookies database…\User Data\<Profile>\Network\Cookies
Local State…\User Data\Local State
DPAPI masterkey file%APPDATA%\Microsoft\Protect\<SID>\<GUID>
User SIDthe folder name under …\Protect\
NT hash or passwordNT hash from the SAM hive (boot key from SYSTEM)

The masterkey GUID you need is shown in the tool after you load Local State, so you can match it to the right file under \Protect\.

Two paths to the key

The decryptor offers two methods. Use whichever fits what you have.

A) You already have the AES key

If another tool already unwrapped the 32-byte os_crypt key, paste it (hex or base64) and decrypt. Done.

B) Derive it here from the Windows files

This runs the whole DPAPI chain in the browser:

  1. Load the Cookies database first. The table appears with an empty Decrypted value column and a decryption panel below it.
  2. Add the decryption files. Drop Local State onto the same drop zone — uploads accumulate, so your cookies stay put — or pick it directly in the panel. Then select the masterkey file.
  3. Enter the SID and the secret. Choose NT hash or password and paste the value.
  4. Derive key & decrypt. The tool decrypts the masterkey (verifying its HMAC), unwraps the AES key, and fills in the Decrypted value column.

If the SID or secret is wrong, the masterkey HMAC fails and you get a clear error rather than silent garbage — a property of the DPAPI design, not the tool.

Reading the results

Decrypted values land in the cookies table next to host, name and the three timestamps. Filter for the session or token you care about, then export the table to CSV or JSON. A __Secure-… auth cookie decrypted next to a download or visit row pins a session hard.

Scope and limits

  • v10 values decrypt fully with this flow. v20 (app-bound, Chrome 127+) needs the app-bound key, which is only partially recoverable from files — see the encryption deep-dive.
  • Modern masterkeys only (AES-256). Legacy 3DES masterkeys are rejected with a message rather than mis-decrypted.
  • Windows only. macOS Keychain and Linux keyring keys are a different acquisition problem.
  • Don't forget the -wal sidecar next to Cookies — drop it too so recently-set cookies aren't missed (why).

Further reading