WhatsApp has launched end-to-end encrypted backups that allow users to protect all their stored messages, photos, videos and calls with a password or a 64-digit key.
The feature is rolling out to iOS and Android users worldwide to provide an “optional extra layer of protection” to existing backups, a spokesperson for the social media giant said.
Facebook, owner of WhatsApp, said that with end-to-end encrypted backups, the entire messaging process is now more secure, even when stored in the cloud.
It claims that no other messaging service on the scale of WhatsApp “provides that level of overall security for user content.”
The update means that, in addition to the encryption provided by cloud storage solutions such as iCloud, Google Drive and Dropbox, the backup file will also be encrypted.
WhatsApp has launched end-to-end encrypted backups that allow users to protect all their stored messages, photos, videos and calls with a password or 64-digit key
Users can choose to protect their backup file with a 64-digit encryption key, or simply with a password
HOW END-TO-END ENCRYPT BACKUPS WORK ON WHATSAPP
When the account owner uses a personal password to protect their end-to-end encrypted backup, the ‘Backup Key Vault’ will store and secure it until it is retrieved.
When someone wants to retrieve their backup:
- They enter their password, which is encrypted and then verified by the Backup Key Vault
- Once the password is verified, the Backup Key Vault will send the encryption key back to WhatsApp
- With the key in hand, the WhatsApp client can then decrypt the backups
If an account owner has chosen to use only the 64-digit key, they must manually enter the key themselves to decrypt and access their backups.
The company says the new feature will provide users with more privacy and security for their digital conversations.
It’s not being rolled out all at once, but rather slowly around the world “to ensure a consistent and reliable user experience for people on iOS and Android.”
“WhatsApp is built on a simple idea: what you share with your friends and family stays between you,” said Facebook CEO Mark Zuckerberg.
The company added end-to-end encryption to messages about five years ago, protecting about 100 billion messages a day shared between two billion users.
However, that only applied to messages sent, received and stored on the user’s device, not the regular backups WhatsApp made for you – until now.
“We’re making available an additional, optional layer of security to protect backups stored on Google Drive or iCloud with end-to-end encryption,” said Zuckerberg.
“No other global messaging service on this scale offers this level of security for their users’ messages, media, voice messages, video calls, and chat backups.”
Users can use the feature to protect end-to-end encrypted backups with a password or 64-digit encryption key that only they know.
Neither WhatsApp nor the backup service provider be it Apple, Google, Microsoft or DropBox can read the backups or access the key needed to unlock them.
“With more than 2 billion users, we’re excited to give people more choices to protect their privacy,” a spokesperson said.
A good way to think about it is that it will be similar to, but more secure than, a safe deposit box at a bank – only the owner of the account has the key.
“We believe this will bring meaningful progress to our users in the security of their personal messages,” Facebook added.
Users can also protect their backup with a password, linked to a key vault where a 64-digit encryption key is stored by WhatsApp, but cannot be accessed by WhatsApp
WHAT IS END-TO-END ENCRYPTION?
End-to-end encryption ensures that only the two participants in a chat can read messages, and no one in between — not even the company that owns the service.
End-to-end encryption is intended to prevent data from being read or secretly modified as it travels between the two parties.
The cryptographic keys needed to access the service are automatically provided only to the two people in each conversation.
In decrypted form, messages are accessible to a third party, allowing them to be intercepted by governments for law enforcement reasons.
Facebook-owned WhatsApp is already encrypted, and now Mark Zuckerberg wants to do the same with Facebook Messenger and Instagram Direct.
People can already backup their WhatsApp message history through cloud-based services like Google Drive and iCloud.
WhatsApp cannot access these backups and they are protected by the individual cloud-based storage services.
But if people now choose to enable end-to-end encrypted (E2EE) backups, neither WhatsApp nor the backup service provider will be able to access their backup or their backup encryption key.
To enable E2EE backups, Facebook has developed an entirely new encryption key storage system that works with both iOS and Android.
When E2EE backups are enabled, backups are encrypted with a unique, randomly generated encryption key. Users can then choose to manually secure the key or use a password associated with their WhatsApp account.
When someone chooses a password, the key is stored in a Backup Key Vault built from a component called a hardware security module.
This is a specialized, secure piece of hardware that can be used to securely store encryption keys that cannot be accessed without the correct password.
If the account owner needs access to his backup, he can access it with his encryption key, or he can use his personal password to retrieve his encryption key from the Backup Key Vault and decrypt his backup.
The vault is responsible for enforcing password authentication attempts and making the key permanently inaccessible after a limited number of failed access attempts – effectively rendering the backup file unavailable.
“These security measures protect against brute-force attempts to retrieve the key,” Facebook added.
WhatsApp only knows that a key exists. It will not know the key itself.’