Apple has enabled end-to-end encryption for iCloud backups
Apple launched Advanced Data Protection, an end-to-end encryption scheme that prevents data stored in a user’s iCloud cloud storage on a third-party device from being decrypted.
Advanced Data Protection will keep most of your iCloud account data intact even if Apple is hacked, and will also prevent Apple itself from accessing your phone’s iCloud backups when requested by law enforcement.
Enhanced Data Protection, currently available in the US to Apple Beta Software Program members, will be rolled out to all US users by the end of the year (the rest of the world will get it in 2023). Advanced Data Protection allows iCloud customers to use trusted devices (such as their iPhones and Macs) with exclusive access to encryption keys for most of their data.
When Advanced Data Protection is turned on, Apple’s servers cannot change certain iCloud settings on behalf of users or access data stored in iCloud backups that third parties can mark as encrypted.
Prior to the deployment of Advanced Data Protection, iCloud users could not prevent Apple from viewing the contents of device backups, including text messages and contacts. Readers may recall the tech giant’s battle with the FBI over the San Bernardino shooter’s encrypted iPhone data, in which the agency tried to force Apple to unlock the secured iPhone through court. At the time, Apple argued that the FBI could instead access the data through unencrypted iCloud backups. Previously, Apple had to abandon the introduction of end-to-end encryption under pressure from the authorities.
Notably, Advanced Data Protection doesn’t work with iWork collaboration tools, shared photo albums, iCloud mail, contacts or calendar – Apple says this is due to compatibility requirements.
To use Advanced Data Protection, you must:
- register using two-factor authentication Apple ID;
- set a password on devices;
- update these devices to the latest OS version (including beta versions!);
- use the latest version of iCloud.
The feature does not yet support managed Apple IDs and child accounts, as Apple warns in a support document. Apple also notes that if a restore fails (for example, if the restore contact information is out of date), any encrypted iCloud data will be lost.
Along with enhanced data protection, Apple announced two other security-related features: iMessage Contact Key Verification and Security Keys.
Apple says that the iMessage contact key verification allows users who are most likely to suffer from digital threats (journalists, politicians, celebrities) to choose an additional verification of the fact that they are exchanging messages with those for whom they are intended. It says iMessage Contact Key Verification will send an alert if an attacker hacks cloud servers and allow users to compare a contact’s special verification code directly, in FaceTime or via a secure call.
Security keys build on Apple’s existing two-factor authentication system and require a hardware security key as one of the two authentication factors for Apple ID credentials. Hardware keys are Bluetooth, NFC or USB devices.
iMessage Contact Key Verification and Apple ID Security Keys will be available worldwide starting in 2023.
Enable end-to-end encryption
If you live in the US and are a member of the Apple Beta Software Program, you can activate Advanced Data Protection for iCloud on iPhone by following the instructions below.
Requires iOS 16.2, which is currently only available in beta. Apple says it will be available to the general public in the US by the end of 2022, and in the rest of the world in early 2023.
You will need to update all Apple devices to the latest OS version using the quick instructions above (or remove them from your account) and set up Account Recovery. At the time of writing, this installs iOS 16.2, iPadOS 16.2, watchOS 9.1, and macOS 13.1. Any HomePods or Apple TVs using your iCloud account must also be updated to at least version 16.2. To avoid misunderstandings, the names of the menu items are given in English.
Account recovery settings
It is imperative that you set up Account Recovery as Apple will no longer be able to help you recover your data.
- Go to Settings > iCloud > Advanced Data Protection.
- You can click Account Recovery to set it up, or just go to Advanced Data Protection; the wizard will guide you through the recovery settings as part of the process. You can also set a recovery contact and/or recovery key in the process.
- If you select a recovery contact, you will see a list of suggested contacts. You need to click on the blue plus icon to search the entire contact list. Be sure to choose a contact who has an Apple device and can always be easily contacted if your account is locked.
- As a next step, you will be prompted to send a message to this contact asking them to approve your request. You can send a message with template text or edit it. When the request is approved, a push notification will arrive.
- To use a recovery key, select this option and be prepared to write down or otherwise save the generated 28-digit key – it should be easily accessible in case of account lockout. To complete the setup, the wizard will ask you to enter the generated sequence of characters.
Enable data protection
Go to Settings > iCloud > Advanced Data Protection.
Next, you’ll need to make sure all devices linked to your Apple ID are up to date, or you’ll have to remove them from your account in Settings. Then just follow the wizard to finish.