MetaMask Vault Recovery

MetaMask is the most-used self-custody Ethereum wallet, with over 30 million monthly active users. When you set a password and MetaMask shows you the 12-word seed, it encrypts the seed with that password and stores it locally in your browser's extension storage as a vault. If you lose the password but still have the browser profile intact, recovery is technically straightforward. If the browser was reset or the extension uninstalled, the vault is gone and only the seed phrase can restore your funds.

How MetaMask stores your seed

The MetaMask background service holds an in-memory KeyringController. When locked, this controller serializes the keyring (which contains your seed or imported private keys) and passes it to an encryption layer called @metamask/browser-passworder. The encryption parameters, from the source code:

// from @metamask/browser-passworder (simplified)
async function encrypt(password, data) {
  const salt = crypto.getRandomValues(new Uint8Array(16));      // 16 bytes random
  const key = await crypto.subtle.deriveKey(
    { name: "PBKDF2", salt, iterations: 10000, hash: "SHA-256" },
    passwordKey,
    { name: "AES-GCM", length: 256 },
    false,
    ["encrypt"]
  );
  const iv = crypto.getRandomValues(new Uint8Array(16));         // 16 bytes random
  const ciphertext = await crypto.subtle.encrypt(
    { name: "AES-GCM", iv }, key,
    new TextEncoder().encode(JSON.stringify(data))
  );
  return JSON.stringify({
    data: base64(ciphertext),
    iv:   base64(iv),
    salt: base64(salt)
  });
}

Three takeaways:

• PBKDF2-HMAC-SHA256, 10,000 iterations — weak by modern standards (Argon2id would use 3 passes over 64MB instead).
• AES-256-GCM with 128-bit IV; GCM provides integrity so wrong passwords fail cleanly with "MAC tag mismatch".
• The vault string is a single JSON object with three fields: data, iv, salt. That JSON is what recovery tools need — nothing more.

Finding the vault on disk

The MetaMask extension ID is nkbihfbeogaeaoehlefnkodbefgpgknn (Chrome / Edge / Brave) and webextension@metamask.io (Firefox). The vault lives in the extension's IndexedDB.

Inside that directory are LevelDB files (*.log, *.ldb, MANIFEST-*, CURRENT). Copy the entire folder — do not open it with a LevelDB tool while Chrome is running, or you will corrupt it.

Extracting the vault JSON — the interactive way

1. In a browser where MetaMask is installed, navigate to chrome://extensions/.
2. Enable Developer mode (top-right toggle).
3. Find MetaMask, click "Inspect views: service worker" (or "background page" on older Manifest V2 builds). DevTools opens.
4. In DevTools, switch to the Application tab (Chrome) or Storage tab (Firefox).
5. Expand IndexedDB → metamask → the store named "keyValuePairs" (or similar, depending on version). Find the row with key data.
6. Expand the value. You are looking for something shaped like:

{
  "KeyringController": {
    "vault": "{\"data\":\"Vdx1lN...<long base64>...==\",\"iv\":\"aBc...==\",\"salt\":\"xYz...==\"}",
    ...
  }
}

The inner "vault" string is the JSON you need. Copy it, unescape it (it contains \" escaping), and save to vault.json.

Decrypting with metamask-vault-decryptor

The official open-source tool lives at github.com/MetaMask/vault-decryptor. It is a static HTML + JavaScript page that runs entirely in your browser — no data leaves your machine. Clone the repo, open index.html locally, paste the vault JSON, type your candidate password, click decrypt.

Automated brute force with btcrecover + hashcat

If you have a rough idea of the password (fragments, length, pattern), automated recovery is realistic:

# btcrecover MetaMask module
python3 btcrecover.py \
    --wallet vault.json \
    --wallet-type metamask \
    --tokenlist tokens.txt \
    --typos 2 --typos-case --typos-capslock

# Convert vault JSON to hashcat hash (mode 26600)
python3 metamask2hashcat.py --vault vault.json > vault.hash

# Hashcat dictionary + rules
hashcat -m 26600 -a 0 vault.hash rockyou.txt -r OneRuleToRuleThemAll.rule

# Mask: you remember it starts with "satoshi" + 3 digits + 1 symbol
hashcat -m 26600 -a 3 vault.hash "satoshi?d?d?d?s"

# Increment: any length from 6 to 11
hashcat -m 26600 -a 3 vault.hash --increment --increment-min 6 --increment-max 11 "?a?a?a?a?a?a?a?a?a?a?a"

Realistic GPU throughput (mode 26600)

Because PBKDF2 is only 10,000 rounds, a 6-GPU rig runs through a 10-billion candidate keyspace in under 10 minutes. This is why password hygiene matters — and why MetaMask's Argon2 migration (in progress) is overdue.

Scenarios: what's recoverable and what's not

The seed phrase is the real backup

This bears repeating because it is the single most important thing in crypto self-custody. Your seed phrase (12 words for MetaMask default) regenerates your vault on any device, any browser, any wallet software that supports BIP39. The password and the vault file are just local disk convenience. If you have the seed, you can ignore the vault entirely — even partial seeds can sometimes be recovered.

Going forward: write your seed on paper or stamped metal, store it in at least two geographically separate locations, and treat the MetaMask password as the throwaway convenience it is.

Related guides

• Ethereum keystore JSON recovery — MyEtherWallet / Geth format, different scrypt parameters.
• BIP39 seed recovery — if you have partial seed words.
• Crypto wallet recovery scams — mandatory read before trusting any tool.
• Bitcoin Core wallet.dat recovery — different ecosystem, stronger KDF.

Frequently asked questions