WhatsApp, for long, has been said to be working on a feature that would secure its chat backups on Google Drive and Apple’s iCloud using end-to-end encryption (E2E) technique. End-to-end encryption is the same technique that WhatsApp uses to safeguard all the communication taking place on its platform. Reports in the past have detailed how this feature could be implemented. Now, months later, WhatsApp has finally announced that it is rolling out end-to-end encrypted chat backups on its platform.
“People can already backup their WhatsApp message history via cloud-based services like Google Drive and iCloud. WhatsApp does not have access to these backups, and they are secured by the individual cloud-based storage services…But now, if people choose to enable end-to-end encrypted (E2EE) backups once available, neither WhatsApp nor the backup service provider will be able to access their backup encryption key,” WhatsApp wrote in a blog post announcing the news.
What’s interesting about WhatsApp’s new feature is that unlike (E2E) technique, which it uses by default to secure all conversations on its platform, end-to-end encrypted chat backup is not a default feature. Simply said, WhatsApp users need to opt-in or enable this feature in order to ensure that their chat backups on Google Drive or iCloud are protected by the same encryption technique that the company uses to safeguard chats on its platform.
How E2EE backups work
WhatsApp says that to enable E2EE backups, it developed a new system for encryption key storage that works with both iOS and Android. With this encryption system, chat backups will be encrypted with a unique, randomly generated encryption key. People can choose to secure the key manually or with a user password.
When a WhatsApp user opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) – specialized, secure hardware that can be used to securely store encryption keys. When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup. The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a minimal number of unsuccessful attempts to access it.
This security system will provide protection against malicious hackers trying to use brute-force techniques to crack passwords in a bid to gain access to a user’s chat backup. “WhatsApp will know only that a key exists in the HSM. It will not know the key itself,” WhatsApp explained.
When someone wants to retrieve their backup, they will have to enter their password, which is encrypted and then verified by the Backup Key. Once it is verified, the Backup Key Vault will send the encryption key back to WhatsApp, which can then be used to decrypt the chat backup.
“Alternatively, if an account owner has chosen to use the 64-digit key alone, they will have to manually enter the key themselves to decrypt and access their backups,” WhatsApp added.
Both these options, that is, ‘Create a password’ and ‘Use a 64-digit encryption key instead’ will be available within WhatsApp’s settings.
As far as the availability is concerned, WhatsApp said that it will be releasing its end-to-end encrypted chat backups as an optional feature and in the coming weeks it will be rolling this out on its iOS and Android-based apps.