WhatsApp E2EE backups will be encrypted with a unique encryption key, which we can also protect with a password.
For years, WhatsApp has provided all of its users with end-to-end encryption of their messages, which has been challenged recently so that they can only be viewed by the sender and recipient, but not anyone else.
In addition, all WhatsApp users have the option of backing up their conversations through cloud-based services such as Google Drive or iCloud.
This backup is protected by the cloud storage services themselves, but now, Facebook has just confirmed on its official developer blog that WhatsApp is finally going to enable end-to-end encryption on backups as well, which means that neither WhatsApp nor the cloud storage service provider, Google or Apple, will be able to access our backups or the encryption keys to them.
How do WhatsApp’s end-to-end encrypted backups work?
Facebook has developed a brand-new system for storing encryption keys that work on both iOS and Android, which will be used to encrypt backups.
Users will have the option of storing their encryption key manually or with a password, in which case the key is kept in a Backup Key Vault that is implemented on a system known as Hardware Security Module (HSM), hardware designed to keep encryption keys safe.
When we need to access our backup, we can do so by using our password to get our encryption key from the HSM-based Backup Key Vault and decrypting the file.
The Backup Key Vault is an HSM-based solution that will ensure that the key is permanently locked after a limited number of unsuccessful attempts to access it, thus protecting us against brute force attacks.
In addition, WhatsApp will only know that a key exists in the HSM, but will not know the key itself.
Over the next few weeks, we’ll be releasing end-to-end encrypted backups for iOS and Android from Andro4all, and we’ll keep you up to date as new developments occur.