WhatsApp offers the possibility of encrypting the Backups of the chats that are saved in the cloudeither Google Drive or iCloud.
This means that the system can be configured to protect the backups made in the cloud with a password or a 64-digit encryption key that only the user knows. As the company explained when it announced this novelty, “no one, not even WhatsApp or your backup provider, will be able to read your backups or have access to the key to unlock them.”
Didn’t WhatsApp already offer endpoint encryption? Yes, but only on messages that are sent and received on the device. This encryption is present, by default, since 2016, but the novelty that was incorporated in October 2021 is the possibility of also encrypting (with E2EE encryption) the backup or back up of the conversations that are stored in the cloud.
How to activate end-to-end encryption on copies made in the cloud
This option is available for both Android and iOS users. The former back up to Google Drive, and the latter to iCloud. Here is how to activate this option step by step, in either case:
1. Open Settings or Settings.
2. Touch Chats/Backup/ End-to-end encrypted backup.
3. Press Activate, and then follow the steps to create a password or key.
This process may take some time. It should be noted that if the user loses his password or the autogenerated key, he will not be able to restore his backup.
How to disable end-to-end encrypted backup
1. Open Settings or Settings.
2. Go to Chats/Backup/End-to-End Encrypted Backup.
3. Touch Deactivate.
4. Enter the password.
5. Touch Deactivate to confirm the decision.
What is end-to-end encryption and what is it for?
It is a security technique that makes all the content that is shared by the messaging service (messages, photos, videos, etc.) travel in an encrypted way and are only decrypted when they reach the receiving device. This means that even if an attacker intercepted the content during transmission, he could not access it because it is encrypted, that is, “unreadable”.
Before a message leaves the sender’s mobile, it is secured with a cryptographic padlock, of which only the recipient has the key. Also, the keys change with each message that is sent. Thus, end-to-end encryption ensures that data is transferred securely between endpoints: sender and receiver.
The technology behind this encryption
To enable E2EE backups, the company developed a new encryption key storage system that works with both iOS and Android. With this option, backups are encrypted with a randomly generated unique encryption key.
Users can choose to secure the key manually or with a user password. When someone chooses a password, the key is stored in a Backup Key Vault which is built based on a component called hardware security module (HSM), which is specialized hardware that can be used to securely store encryption keys.
When the account owner needs to access their own backup, they can access it with their encryption key or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup.
HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and make the key permanently inaccessible after a limited number of failed attempts to access it. These security measures provide protection against brute force attempts to recover the key. WhatsApp only knows that a key exists in the HSM, but does not know the key itself.
When someone wants to retrieve your backup, they have to enter your password, which is encrypted and then verified by Backup Key Vault. Once the key is verified, Backup Key Vault will send the encryption key to the WhatsApp client.
With the key in hand, the WhatsApp client can decrypt the backups. On the other hand, if the account owner has chosen to use only the 64-digit key, then he will have to manually enter the key to decrypt and access his backups.