Exporting Private Key from Mobile App [Android]

[x ] I have read intro post: About the Installation Issues category
[ x] I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue


Unfortunately my laptop died recently, I’m trying to setup passbolt on a new computer. I still have access to passbolt from the android mobile app, but I can’t seem to export my private key from there.
And the original private key file is on the dead laptop.

Is there any way I can continue?

Best regards

Hello @bieblebrox , welcome to the forum!
I think there is no way to recover your account from your phone.
If your laptop has died but your disk is ok, you can try to connect your disk to another computer in order to recover your private key and your files

1 Like

It’s a recent macbook pro and apparently the motherboard is fried, those are all integrated systems these days, you can’t just pull out the hard drive like before, even if you could that hard drive is encrypted & controlled by the T2 chip on the motherboard, without that, the drive is useless. Quite a shock to me that this can just happen out of the blue.

Anyways, given how asymmetric encryption works, the mobile app must have a copy of the private key right, how else can it read the data? So even if it’s not a feature, the app must have some sort of local copy of the key? Could I somehow read it from the device?

Or can someone point me to the right part of the source code where I might be able to play around to access it?

So the key is present on the phone but not really accessible. That key is encrypted with another key that is stored in the android keystore.

@clayton Thank you for your response.

If I were to update the source code for the passbolt android app and write a piece code that could use the android keystore to decrypt the key & expose it - would this modified app be able to access the data from the live app?

Or is that only possible if that new build is signed using your publishing key? Or is it possible to force android to ‘trust’ the build?

Hi @bieblebrox !

I suppose doing so won’t help you. I think (and hope for security reasons) that having another app to read these data is not doable. However, we discussed about this issue internally and there is a way maybe. The mobile app have the possibility to do a mobile to mobile transfer via QR codes. It’s not that easy but the idea is the following (quoting the message as-is):

One option would be to do mobile to mobile transfer, record a video of this then extract manually the key from the qr codes


That seems like an interesting challenge. Do you have a bit more info about the steps I’d need to take? Eg how to decode the data being transferred through the QR codes?

Many thanks

The idea with the record is to have all the QR code being visible. After you could find website like https://webqr.com/ to pass it a qrcode (I didn’t test the site, I don’t know if it’s fine or not). The number of QRCodes depends on the type of key and its size that you are using.

I suppose the format would be a text in a JSON format (I’m not 100% as I didn’t work on that part). With all the QRCodes, you could reconstitute your key this way normally.

Hi @Steph ,

Thank you for your response.
I want to confirm that this solution is working. In case anyone encounters this problem in the future, I used this mac app to scan the QR codes that the app exports: ‎QR Capture on the Mac App Store
Screenshot 2023-08-04 at 16.07.31

After that it’s just a matter of concatenating the output strings to rebuild the key.
Thanks again!