WhatsApp has launched end-to-end encrypted backups that will allow users to protect all their stored messages, photos, videos and calls with a password or 64-digit key.
The feature is being rolled out globally to iOS and Android users to provide an ‘optional extra layer of protection’ to existing backups, according to a spokesperson for the social media giant.
Facebook, which owns WhatsApp, said that with end-to-end encrypted backups, the entire messaging process is now more secure, even when stored in the cloud.
It claims no other messaging service on the scale of WhatsApp ‘provides that level of overall security for users content’.
The update means that, on top of the encryption provided by cloud storage solutions like iCloud, Google Drive and Dropbox, the backup file will also have encryption.
WhatsApp has launched end-to-end encrypted backups that will allow users to protect all their stored messages, photos, videos and calls with a password or 64-digit key
Users can opt to secure their backup file with a 64-digit encryption key, or simply with a password
The firm says the new feature will provide users with more privacy and security for their digital conversations.
It isn’t being rolled out all at once, but rather slowly around the world ‘to ensure a consistent and reliable user experience for people on iOS and Android.’
‘WhatsApp was built on a simple idea: what you share with your friends and family stays between you,’ said Facebook CEO Mark Zuckerberg.
The firm added end-to-end encryption to messages about five years ago, and that protects about 100 billion messages per day shared between two billion users.
However, that only applied to messages sent, received and stored on the user’s device, rather than to any of the regular backups made for you by WhatsApp – until now.
‘We are making available an extra, optional layer of security to protect backups stored on Google Drive or iCloud with end-to-end encryption,’ said Zuckerberg.
‘No other global messaging service at this scale provides this level of security for their users’ messages, media, voice messages, video calls, and chat backups.’
Users can use the feature to secure end-to-end encrypted backups with either a password or a 64-digit encryption key that only they know.
Neither WhatsApp nor the backup service provider, be it Apple, Google, Microsoft or DropBox, will be able to read the backups or access the key required to unlock it.
‘With more than 2 billion users, we are excited to give people more choices to protect their privacy,’ a spokesperson said.
A good way to think about it is that it will be similar to, but more secure than, a safety deposit box at a bank – only the account owner will have the key.
‘We believe that this will give our users a meaningful advancement in the safety of their personal messages,’ Facebook added.
Users are also able to secure their backup with a password, linked to a key vault where a 64 digit encryption key is saved by WhatsApp, but not accessible to WhatsApp
People can already backup their WhatsApp message history via cloud-based services like Google Drive and iCloud.
WhatsApp does not have access to these backups, and they are secured by the individual cloud-based storage services.
But now, if people choose to enable end-to-end encrypted (E2EE) backups, neither WhatsApp nor the backup service provider will be able to access their backup or their backup encryption key.
To enable E2EE backups, Facebook developed an entirely new system for encryption key storage that works with both iOS and Android.
With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key. Users can then opt to secure the key manually or use a password linked to their WhatsApp account.
When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module.
This is a specialised, secure piece of hardware that can be used to securely store encryption keys that can’t be accessed without the correct password.
When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the Backup Key Vault and decrypt their backup.
The vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a limited number of unsuccessful attempts to access it – making the backup file effectively unavailable.
‘These security measures provide protection against brute-force attempts to retrieve the key,’ Facebook added.
‘WhatsApp will know only that a key exists. It will not know the key itself.’