WhatsApp announced on September 10 that saved conversations on iOS or Android will soon be able to be end-to-end encrypted. But how does it work? Can WhatsApp backups that go through the cloud (Google Drive or iCloud) really be encrypted?
- This feature will be deployed in the coming weeks on Android and iOS.
- It will be an opt-in, which the user can activate or not, at first.
There’s a reason why Signal only offers local backups, and Telegram doesn’t store your secret exchanges in the cloud. The only way to be sure that your backups remain secure is to ensure that they do not pass through any server and that they are stored locally.
But apparently, WhatsApp has managed to break this compromise by developing an encryption solution for cloud-based backups. This famous solution, which will be deployed in the coming weeks on iOS and Android.
End-to-end encrypted cloud backups? How does it work?
On both iOS and Android, WhatsApp will be able to protect your saved conversations in two ways. First, you will need to generate a 64-digit encryption key to lock your chats stored on iCloud and Google Drive.
This encryption key can then either be stored locally or in a password manager of your choice. You will also have the option to create a password to save this encryption key in a secure online vault, developed specifically for this purpose, by WhatsApp.
Facebook refers to this as an HSM or hardware security module. WhatsApp will only know whether a key exists within an HSM, but will not know the key itself or the password associated with it to unlock the HSM.
If you opt for the latter, you won’t be able to access the key without entering your password. If you forget your encryption key, the key is permanently lost, and so is the backup of your conversations, as WhatsApp does not know your password.
Once unlocked with the password associated with it in WhatsApp, the HSM provides the encryption key, which in turn decrypts the account backup that is stored on Apple or Google servers. A key stored in one of WhatsApp’s HSM vaults will become permanently inaccessible after several repeated attempts at the wrong password. The hardware itself is located in Facebook-owned data centers around the world to protect against network outages.
What do you think of this solution? Does this promise of encryption reassure you about the security of your data on WhatsApp?