Last month, WhatsApp announced that it will give people the option to protect their WhatsApp backups using end-to-end encryption. Today, WhatsApp announced that end-to-end encrypted (E2EE) backups are now available for Google Drive or iCloud. With this new type of backup, neither WhatsApp nor the backup service provider (Apple or Google) will be able to access your backup or the backup encryption key.
You can now secure your end-to-end encrypted backup with either a password of your choice or a 64-digit encryption key that only you know.
Here’s how encrypted backups work:
- To enable E2EE backups, WhatsApp developed an entirely new system for encryption key storage that works with both iOS and Android.
- With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key.
- People can choose to secure the key manually or with a user password.
- When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) — specialized, secure hardware that can be used to securely store encryption keys.
- When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup.
- The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a limited number of unsuccessful attempts to access it.
- These security measures provide protection against brute-force attempts to retrieve the key.
- WhatsApp will know only that a key exists in the HSM. It will not know the key itself.