When you enable two-factor authentication on Mastodon, the server provides a set of backup codes. These codes let you regain access if you lose your authenticator app. The exported file containing these codes is encrypted to protect your account. This article explains how to decrypt that file and recover your backup codes.
The encrypted file uses a password you set during the 2FA setup process. Without that password, decryption is not possible. The steps below work on Windows 11 and Windows 10 using built-in tools and a widely available open-source utility.
You will learn the exact command to run, how to locate the file, and what to do if the password fails. The process takes less than two minutes once you have the correct password.
Key Takeaways: Decrypting Mastodon 2FA Backup Codes
- OpenSSL command line: The only reliable method to decrypt the Mastodon 2FA backup codes file on Windows.
- Password from 2FA setup: You must know the exact password you entered when generating the backup codes. Mastodon does not store this password.
- File location in Downloads folder: Mastodon exports the encrypted file as mastodon-2fa-backup-codes.txt.enc directly to your browser download location.
Why Mastodon Encrypts the 2FA Backup Codes File
When you enable two-factor authentication in Mastodon, the server generates 10 single-use backup codes. These codes are displayed on screen once and then never shown again. If you lose access to your authenticator app, any one of these codes can replace the 2FA code during login.
Mastodon also offers an export button that saves these codes to a file. To prevent anyone who gains access to your computer or email from reading the codes, Mastodon encrypts the file using OpenSSL AES-256-CBC encryption. The encryption password is set by you at the moment you click the export button. Mastodon never stores or transmits this password. If you forget it, the encrypted file is permanently unreadable.
The exported file has the extension .enc and contains a base64-encoded blob. Decryption requires the OpenSSL command line tool, which is not installed by default on Windows. You must download a precompiled OpenSSL binary or use Windows Subsystem for Linux. The steps below cover the simpler method using a standalone OpenSSL build.
Steps to Decrypt the Mastodon 2FA Backup Codes File
- Download OpenSSL for Windows
Go to the official OpenSSL wiki page for Windows binaries. Download the latest full installer for your system architecture (64-bit or 32-bit). Run the installer and accept the default installation path. During installation, choose the option to copy OpenSSL DLLs to the Windows system directory. This makes the openssl command available from any Command Prompt window. - Locate the encrypted backup codes file
Open File Explorer and navigate to your Downloads folder. Look for a file named mastodon-2fa-backup-codes.txt.enc. If you renamed the file during download, use your custom filename. The file must have the .enc extension. If you cannot find the file, re-export the backup codes from Mastodon Settings > Account > Two-factor Auth and save the new file to a known folder. - Open a Command Prompt window
Press the Windows key, type cmd, and select Command Prompt. You do not need administrator privileges for this task. Navigate to the folder containing the .enc file using the cd command. For example, type cd %USERPROFILE%\Downloads and press Enter. - Run the OpenSSL decryption command
Type the following command and press Enter:openssl enc -aes-256-cbc -d -in mastodon-2fa-backup-codes.txt.enc -out mastodon-2fa-backup-codes.txt -pbkdf2
OpenSSL will prompt you for the decryption password. Type the exact password you used when exporting the file. The password is case-sensitive. Press Enter after typing the password. - Verify the decrypted file
If the password is correct, OpenSSL completes silently with no output. Open the newly created file mastodon-2fa-backup-codes.txt in Notepad. The file contains 10 backup codes, one per line, each a string of alphanumeric characters. Each code is valid once. After using a code to log in, Mastodon marks it as used and will not accept it again. - Store the decrypted file securely
Move the decrypted text file to an encrypted USB drive or a password manager. Delete the plain text file from your Downloads folder after saving the codes. The encrypted .enc file can be kept as a backup, but without the password it is useless. Consider printing the codes and storing the paper copy in a safe location.
Common Decryption Problems and Solutions
OpenSSL says “bad decrypt” or “wrong final block length”
This error almost always means the password is incorrect. OpenSSL does not show a separate “wrong password” message. Instead, it fails during the decryption padding check. Double-check your password for typos, different keyboard layouts, or accidental leading or trailing spaces. If you have multiple passwords you might have used, try each one in a separate command. There is no password recovery option. If none of your passwords work, the file cannot be decrypted.
OpenSSL is not recognized as an internal or external command
This error appears when OpenSSL is not installed or not added to the system PATH. Re-run the OpenSSL installer and select the option to copy DLLs to the Windows system directory. If you used a portable version instead of the installer, you must run the command from the folder containing openssl.exe, or add that folder to your PATH environment variable manually.
File name contains spaces or special characters
If the encrypted file name includes spaces, enclose the full filename in double quotes in the command. For example:openssl enc -aes-256-cbc -d -in "mastodon 2fa backup codes.txt.enc" -out codes.txt -pbkdf2
Using a short output filename like codes.txt avoids typing issues.
Decrypted file contains garbled text or symbols
This indicates either a wrong password or a corrupted .enc file. If the password is wrong, OpenSSL may still produce output, but the result is binary garbage. Delete the output file, re-run the command with the correct password, and check the result. If the file is corrupted, re-export the backup codes from Mastodon and try again.
OpenSSL Decryption vs Other Decryption Methods
| Item | OpenSSL Command Line | Third-Party GUI Tools |
|---|---|---|
| Availability | Requires manual download and install | Some tools bundle OpenSSL but may not support -pbkdf2 flag |
| Encryption algorithm | AES-256-CBC with PBKDF2 key derivation | Depends on tool; older tools use MD5-based key derivation and fail |
| Password prompt | Interactive terminal prompt | Graphical input field |
| Error messages | Generic “bad decrypt” for any failure | May show clearer error or crash silently |
| Platform support | Windows, macOS, Linux | Windows only for most GUI tools |
The OpenSSL command line is the only method guaranteed to work with Mastodon export files. The Mastodon server uses the -pbkdf2 flag during encryption. GUI tools that do not support PBKDF2 key derivation will produce incorrect output even with the correct password. Stick to the command line method shown above.
Now you can decrypt any Mastodon 2FA backup codes file and recover your login recovery codes. Keep the decrypted file in a safe place. If you ever lose your authenticator app, open the file and use one of the codes to log in. After logging in, immediately replace the used code by generating a fresh set of backup codes from Mastodon Settings > Account > Two-factor Auth. The old decrypted file becomes invalid once you generate new codes.