Decrypt Microsoft Edge passwords and cookies
2026-06-21 · 4 min
Microsoft Edge is Chromium. That single fact decides the whole acquisition
plan: the on-disk layout, the os_crypt key scheme, and the DPAPI chain are
the same as Chrome — only the paths change. If you already know how to
decrypt Chrome cookies,
you already know how to do Edge. This post maps the differences and walks the
in-browser workflow for cookies, passwords and saved cards — nothing leaves
the tab.
Same files, different path
Everything sits under the Edge User Data root instead of Chrome's:
%LOCALAPPDATA%\Microsoft\Edge\User Data\
The per-profile artifacts and the shared Local State are byte-compatible
with Chrome's:
| Artifact | Path (relative to a profile, e.g. Default) |
|---|---|
| Browsing history | History |
| Cookies | Network\Cookies |
| Saved passwords | Login Data |
| Saved cards / autofill | Web Data |
| Bookmarks | Bookmarks |
os_crypt key | ..\Local State (at the User Data root) |
Profile folder names follow the same convention — Default, then
Profile 1, Profile 2, … For where each of these lives in detail, see
Edge history file locations.
Same encryption scheme
Edge encrypts cookie values, password blobs and card numbers exactly like
Chrome: AES-256-GCM with a v10/v20 version tag, keyed by the single
os_crypt AES key stored in Local State.
| Field | Where | Encryption |
|---|---|---|
| Cookie value | Cookies → cookies.encrypted_value | v10/v20 AES-GCM |
| Password | Login Data → logins.password_value | v10/v20 AES-GCM |
| Card number | Web Data → credit_cards.card_number_encrypted | v10/v20 AES-GCM |
The key itself is DPAPI-wrapped on Windows (base64 encrypted_key in
Local State, prefixed with the ASCII tag DPAPI). On macOS it lives in the
login Keychain under Microsoft Edge Safe Storage; on Linux it is a keyring
secret. The blob format and the key derivation
are identical to Chrome — the same code decrypts both.
Recovering the key offline
Same two-key problem, same offline DPAPI chain.
To unwrap the Edge os_crypt key from acquired files you need:
| Input | Where it lives |
|---|---|
Local State | …\Edge\User Data\Local State |
| DPAPI masterkey file | %APPDATA%\Microsoft\Protect\<SID>\<GUID> |
| User SID | the folder name under …\Protect\ |
| NT hash or password | NT hash from the SAM hive (boot key from SYSTEM) |
The masterkey GUID to match against \Protect\ is shown in the tool once
you load Local State.
The in-browser workflow
The decryptor takes the Edge files directly — no conversion, because they are Chromium files.
- Load the artifact. Drop
Cookies,Login DataorWeb Data(plus the-walsidecar where present). The table renders with an empty Decrypted value column. - Add the key inputs. Either paste the 32-byte
os_cryptkey if another tool already unwrapped it (hex or base64), or drop Edge'sLocal State+ the masterkey file and enter the SID and secret. - Derive key & decrypt. The tool verifies the masterkey HMAC, unwraps the AES key, and fills the Decrypted value column for cookies, passwords or card numbers.
A wrong SID or secret fails the masterkey HMAC and returns a clear error rather than silent garbage — a property of DPAPI, not the tool. For the full password and card walkthrough, see decrypting saved passwords and credit cards.
Scope and limits
- v10 values decrypt fully from files. v20 (app-bound) applies to recent Edge builds too; the app-bound layer is only partially recoverable offline — same caveat as Chrome. If you already hold the unwrapped v20 key, the GCM decrypt is straightforward.
- Modern masterkeys only (AES-256). Legacy 3DES masterkeys are rejected rather than mis-decrypted.
- Windows acquisition assumed here. macOS Microsoft Edge Safe Storage and Linux keyring keys are a different acquisition problem.
- Don't miss the
-walsidecar next toCookies,Login DataandWeb Data— recently written rows may live there, not in the main DB.