browserforensics
Back to all articles

Decrypt Microsoft Edge passwords and cookies

2026-06-21 · 4 min

Microsoft Edge is Chromium. That single fact decides the whole acquisition plan: the on-disk layout, the os_crypt key scheme, and the DPAPI chain are the same as Chrome — only the paths change. If you already know how to decrypt Chrome cookies, you already know how to do Edge. This post maps the differences and walks the in-browser workflow for cookies, passwords and saved cards — nothing leaves the tab.

Same files, different path

Everything sits under the Edge User Data root instead of Chrome's:

%LOCALAPPDATA%\Microsoft\Edge\User Data\

The per-profile artifacts and the shared Local State are byte-compatible with Chrome's:

ArtifactPath (relative to a profile, e.g. Default)
Browsing historyHistory
CookiesNetwork\Cookies
Saved passwordsLogin Data
Saved cards / autofillWeb Data
BookmarksBookmarks
os_crypt key..\Local State (at the User Data root)

Profile folder names follow the same convention — Default, then Profile 1, Profile 2, … For where each of these lives in detail, see Edge history file locations.

Same encryption scheme

Edge encrypts cookie values, password blobs and card numbers exactly like Chrome: AES-256-GCM with a v10/v20 version tag, keyed by the single os_crypt AES key stored in Local State.

FieldWhereEncryption
Cookie valueCookiescookies.encrypted_valuev10/v20 AES-GCM
PasswordLogin Datalogins.password_valuev10/v20 AES-GCM
Card numberWeb Datacredit_cards.card_number_encryptedv10/v20 AES-GCM

The key itself is DPAPI-wrapped on Windows (base64 encrypted_key in Local State, prefixed with the ASCII tag DPAPI). On macOS it lives in the login Keychain under Microsoft Edge Safe Storage; on Linux it is a keyring secret. The blob format and the key derivation are identical to Chrome — the same code decrypts both.

Recovering the key offline

Same two-key problem, same offline DPAPI chain. To unwrap the Edge os_crypt key from acquired files you need:

InputWhere it lives
Local State…\Edge\User Data\Local State
DPAPI masterkey file%APPDATA%\Microsoft\Protect\<SID>\<GUID>
User SIDthe folder name under …\Protect\
NT hash or passwordNT hash from the SAM hive (boot key from SYSTEM)

The masterkey GUID to match against \Protect\ is shown in the tool once you load Local State.

The in-browser workflow

The decryptor takes the Edge files directly — no conversion, because they are Chromium files.

  1. Load the artifact. Drop Cookies, Login Data or Web Data (plus the -wal sidecar where present). The table renders with an empty Decrypted value column.
  2. Add the key inputs. Either paste the 32-byte os_crypt key if another tool already unwrapped it (hex or base64), or drop Edge's Local State + the masterkey file and enter the SID and secret.
  3. Derive key & decrypt. The tool verifies the masterkey HMAC, unwraps the AES key, and fills the Decrypted value column for cookies, passwords or card numbers.

A wrong SID or secret fails the masterkey HMAC and returns a clear error rather than silent garbage — a property of DPAPI, not the tool. For the full password and card walkthrough, see decrypting saved passwords and credit cards.

Scope and limits

  • v10 values decrypt fully from files. v20 (app-bound) applies to recent Edge builds too; the app-bound layer is only partially recoverable offline — same caveat as Chrome. If you already hold the unwrapped v20 key, the GCM decrypt is straightforward.
  • Modern masterkeys only (AES-256). Legacy 3DES masterkeys are rejected rather than mis-decrypted.
  • Windows acquisition assumed here. macOS Microsoft Edge Safe Storage and Linux keyring keys are a different acquisition problem.
  • Don't miss the -wal sidecar next to Cookies, Login Data and Web Data — recently written rows may live there, not in the main DB.

Further reading