Where Is the FlowCrypt Private Key Stored?

Good Morning! Where is the key pair for FlowCrypt stored?


The browser extension stores it in the browser’s local extension storage. Depending on how you set it up, there may also be a backup. Please refer to the FlowCrypt Privacy Policy in this matter, particularly the Handling of Private Keys section:

The Local App will store Private Keys in storage that is accessible only to the Local Machine such as browser storage, application storage, hard drive, or similar, and the security of these Private Keys depends on the security of the underlying Local Machine that stores them. For this reason, it is recommended to always update to the latest operating system, keep up to date with the latest security fixes, keep the system virus free, and use full-disk encryption or any other practices that make the Local Machine less vulnerable to attackers. Additionally, we recommend that you select an “Always require a passphrase when opening email” option as an additional layer of security in case your Local Machine gets compromised in the future through physical or other means.

In addition to storing the Private Key in the Local App exclusive in the Local Machine, depending on how the Local App was set up, the following will apply:

When importing Private Key from elsewhere: The LOCAL APP will keep both the PRIVATE KEY and PASSPHRASE exclusively on the LOCAL MACHINE, unless the user specifically navigates to the backup section of settings where they perform an additional form of PRIVATE KEY backup.

When creating a new Private Key: The LOCAL APP will provide the user with a comprehensive estimation of the strength of their PASSPHRASE. Once the user chooses a PASSPHRASE of satisfactory strength depending on their use case, the LOCAL APP will store the PASSPHRASE and PRIVATE KEY on the LOCAL MACHINE. In addition, as a part of the setup process, the LOCAL APP will provide the option to backup (default configuration) the PRIVATE KEY on the user’s EMAIL PROVIDER or not to perform any backup. The backed-up key is protected with a PASSPHRASE that will always stay exclusively on the LOCAL APP within the LOCAL MACHINE. It is strongly recommended to choose a PASSPHRASE that will be evaluated to maximum strength (full-strength bar) during the LOCAL APP setup, as PASSPHRASEs of such strength take a vast amount of resources to crack through BRUTE FORCE ATTACK, making such attacks effectively impossible.