WhatsApp already has end-to-end encryption by default ??so the messages sent via WhatsApp can be seen only by the sender and recipient. Today, WhatsApp announced that it will give people the option to protect their WhatsApp backups using end-to-end encryption as well.
Until now when you backup WhatsApp message history via Google Drive or iCloud, WhatsApp does not have access to these backups, but Google or Apple can access them. With the upcoming end-to-end encrypted (E2EE) backups, neither WhatsApp nor the backup service provider (Apple or Google) will be able to access their backup or their backup encryption key.
Here’s how encrypted backups work:
- To enable E2EE backups, WhatsApp developed an entirely new system for encryption key storage that works with both iOS and Android.
- With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key.
- People can choose to secure the key manually or with a user password.
- When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) — specialized, secure hardware that can be used to securely store encryption keys.
- When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup.
- The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a limited number of unsuccessful attempts to access it.
- These security measures provide protection against brute-force attempts to retrieve the key.
- WhatsApp will know only that a key exists in the HSM. It will not know the key itself.