> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev.auth0-mintlify.app/llms.txt
> Use this file to discover all available pages before exploring further.
# Export Password Hashes and MFA Secrets
> Request a PGP-encrypted export of password hashes and MFA secrets from your Auth0 tenant through a support case.
When you request an export of password hashes or MFA secrets from your Auth0 tenant, the data is encrypted end-to-end with Pretty Good Privacy (PGP) before it leaves Auth0 systems. Only you, as the holder of the matching private key, can decrypt the exported data.
This page covers the full process, from submitting your request to decrypting the export file.
## Prerequisites
Before you submit a request, generate a PGP key pair that meets the following requirements:
| Requirement | Value |
| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Key length** | 4096 bits or greater |
| **Encryption subkey** | The key must include at least one RSA 4096-bit encryption subkey. Auth0 uses this subkey to encrypt your export. Other subkeys may use different parameters; only one needs to meet this requirement. |
| **Passphrase** | Strong and unique. A randomly generated passphrase is recommended. |
| **Expiration** | Set an expiration date at least 7 days after the date of generation. To reuse the same key for repeat export requests, adjust the expiration accordingly. |
## Generate your PGP key pair
This section uses [GnuPG (`gpg`)](https://gnupg.org/), the standard command-line tool for OpenPGP. For other tools or advanced options, see the [GnuPG manual](https://www.gnupg.org/gph/en/manual/c14.html).
### Install GnuPG
```bash theme={null}
brew install gnupg
```
Requires [Homebrew](https://brew.sh/). For other installation options, read the [GnuPG download page](https://gnupg.org/download/).
GnuPG is preinstalled on most distributions. If not:
```bash theme={null}
# Debian/Ubuntu
sudo apt-get install gnupg
# RHEL/Fedora
sudo dnf install gnupg2
```
Install [Gpg4win](https://www.gpg4win.org/), which includes the `gpg` command-line tool. After installation, restart your terminal so the `gpg` command is on your `PATH`.
### Generate the key
Run the key generation command:
```bash theme={null}
gpg --full-generate-key
```
When prompted, provide the following values:
| Prompt | Value |
| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Please select what kind of key you want | **`1` (RSA and RSA)** |
| What keysize do you want | **`4096`** |
| Key is valid for | A duration matching the **Expiration** requirement above (at least 7 days) |
| Real name / email | Your name and the exact email address registered for your tenant administrator account. Aliases or different capitalization may cause validation to fail. |
| Comment | Optional non-sensitive label that helps you identify this key later (for example, *"Auth0 export key"*). |
| Passphrase | A strong, randomly generated passphrase. |
Recent versions of GnuPG default to ECC at the first prompt. **You must explicitly select `1` (RSA and RSA).** ECC and EDDSA keys are not supported by Auth0's export validation.
### Export your public key
After the key is generated, find its key ID and export the public key. Always reference the key by its key ID (not by email). `gpg` returns the first key matching the identifier you pass, so an email lookup can grab the wrong key if you generated more than one with the same address.
List your keys:
```bash theme={null}
gpg --list-keys
```
The output includes a `pub` line followed by the 16-character key ID:
```text theme={null}
pub rsa4096 2026-06-04 [SC] [expires: 2028-06-04]
ABC123451E45G39A
uid [ultimate] Your Name
sub rsa4096 2026-06-04 [E]
```
Export the public key by key ID in ASCII-armored format:
```bash theme={null}
gpg --armor --export YOUR_KEY_ID > public_key.asc
```
Replace `YOUR_KEY_ID` with the alphanumeric string shown under your `pub` line (for example, `ABC123451E45G39A`). The output file contains the full key block, including the armor headers:
```text theme={null}
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
```
Do not export or share your private key. Auth0 only needs your public key to encrypt the file.
## Request process
[Open a support case](https://support.auth0.com) requesting a password hash or MFA secrets export. Include the following in your request:
* The specific **tenant name**.
* Your **PGP public key** (the full ASCII-armored block from the previous section).
Auth0 reviews your request to determine eligibility. Not all requests qualify for an export.
Auth0 does not provide ETAs for eligible exports because fulfillment depends on resource and access availability. If you have a required date, note it in your request.
If your request is approved, Auth0 sends a requirements message asking for the following:
1. **Your authorization**: a written acknowledgment that you approve the export from the tenant(s) in your request.
2. **An additional tenant admin confirmation**: at least one other tenant administrator will be CC'd on the support case and must confirm the request. If you are the sole tenant administrator of a tenant, this step will be skipped.
3. **A signed acknowledgment form**: the **Hashed Password and MFA Secret Export Acknowledgment** form must be signed by a CISO, CSO, or executive-level representative (VP or above) in your organization. Typed names are not accepted; a physical or digital signature is required. Upload the completed form to the support case.
If any of the above is missing or incomplete, your request may not be processed.
After Auth0 receives all required documentation, we encrypt and export your tenant data with the PGP public key you provided.
You receive an email containing a secure download link. The link:
* **Requires authentication** as the user account that opened the support case. Other tenant administrators cannot download the file from this link.
* **Requires that user to still hold the tenant administrator role** at the time of download. If they lose the role, the download is blocked and a new request must be submitted.
* **Expires after 3 days**. Download the file before it expires. After expiration, you must submit a new request.
Download the encrypted file (`.pgp` or `.gpg` extension) and decrypt it with your PGP private key and the passphrase you set when generating the key:
```bash theme={null}
gpg --output DECRYPTED_EXPORT_FILE --decrypt ENCRYPTED_EXPORT_FILE.pgp
```
Replace `DECRYPTED_EXPORT_FILE` with your desired output filename and `ENCRYPTED_EXPORT_FILE.pgp` with the name of the downloaded file.
## Security reminders
* **Never share your private key or passphrase with anyone**, including Auth0 or Okta support staff. Auth0 never asks for them.
* **Back up your private key and passphrase** securely on an offline device. If lost, you cannot decrypt your export and must submit a new request.
* **Do not share the download link.** Although the download requires the case creator to authenticate with an active tenant administrator role, treat the link as confidential.
## Learn more
* [Bulk User Exports](/docs/manage-users/user-migration/bulk-user-exports)
* [Bulk User Imports](/docs/manage-users/user-migration/bulk-user-imports)
* [User Migration Scenarios](/docs/manage-users/user-migration/user-migration-scenarios)