WhatsApp now offers an "end-to-end" encrypted backup - here's how it works

WhatsApp now offers an "end-to-end" encrypted backup - here's how it works

WhatsApp completely encrypts chat backups so that no one else, including WhatsApp, can see them [Facebook founder and CEO Mark Zuckerberg posted a message on his Facebook page today (October 14)

"End-to-end encrypted backup of WhatsApp starts today

"You can now protect your end-to-end encrypted backups with any password or a 64-digit encryption key known only to you WhatsApp or your backup service provider cannot read your backups or access the key needed to unlock them"

End-to-end encryption usually refers to data sent from one client device to another, not to stored data like backed up chats; WhatsApp has expanded the definition of this term slightly to include stored encryption key to unlock the backup, meaning that no one but you has the encryption key to unlock the backup

However, WhatsApp does not save backups As always, you can back up your chats to Apple iCloud or Google Drive, depending on whether you have an iPhone or Android

End-to-end encryption is optional and must be actively chosen Not all are immediately available

If you choose to encrypt your chat backups, Facebook's engineering team stated in a blog post that previous backups will be deleted

WhatsApp previously offered encryption of backups to iCloud, but as Thomas Brewster of Forbes explained in 2017, attackers could obtain encryption keys if they could spoof the phone numbers of legitimate users through a different mechanism was used

To take advantage of WhatsApp's end-to-end encrypted backup, make sure you have the latest version of WhatsApp installed on your iPhone or Android device

Note: This may or may not still be possible At the time of this writing, it could not be done on our Android devices, even though the latest version of WhatsApp was installed Here is how to check

1 Go to the settings screen; on Android, click on the three vertical dots at the top of the WhatsApp main screen

2 Tap [Chat] Tap

3 Tap [Backup Chat]

4 If end-to-end encrypted backup is provided, tap it

5 Tap Continue and follow the instructions to create your personal encryption key (described below)

6 When the process is complete, tap Done

If you chose to enable full backup encryption, the process begins with the phone generating a 256-bit (32-byte) encryption key locally This key is used by the phone to encrypt the chat backup, and the encrypted backup is uploaded to Google Drive or iCloud

There are two ways to manage WhatsApp backup encryption keys: the second is to delegate the management to WhatsApp, so that, at least in theory, the encryption key is not exposed to others

In the first method, the encryption key is displayed as 64 hexadecimal characters This looks like a long string of numbers and the letters A through F, the latter representing the numbers 10 through 15 (37]

You must write down or save this 64-character string somewhere If you lose the encryption key, WhatsApp will not be able to respond

If you need to restore a WhatsApp backup, such as when changing phones, you must type or paste the 64-character key into WhatsApp

This mechanism is illustrated in Fig

There is also a way to type a 32-byte key into WhatsApp The encryption key is somewhat complicated as it requires creating a new password (which appears to be different from the normal WhatsApp user password) to encrypt and decrypt the key

The encrypted key is stored in what is called a backup key vault, which is a hardware security module (HSM) located on at least five WhatsApp servers worldwide [According to a Facebook white paper describing the technical details, the Backup Key Vault "permanently loses access to the key after a certain number of failed access attempts If the password is entered incorrectly, the user is locked out

WhatsApp cannot see the encryption key without knowing the password, says a Facebook Engineering blog post: "WhatsApp only knows that the key exists in the HSM; WhatsApp only knows that the key exists in the HSM; WhatsApp only knows that the key exists in the HSM

In other words, the password unlocks the encryption key and the key unlocks the stored backup When retrieving the backup, WhatsApp accesses WhatsApp's servers to retrieve the encrypted encryption key Copy

Here is a diagram showing the process

There are several possible drawbacks to this new backup encryption option

First, when migrating from an old iPhone to a new iPhone or from an old Android phone to a new Android phone, it should be easy enough to retrieve the backup as long as you have the backup password or encryption key

But what about when switching platforms: WhatsApp on Android does not have access to iCloud, and WhatsApp on iOS does not have access to Google Drive But there may be a workaround we are unaware of

Second, do not do this on more than one device at a time As stated in the Facebook whitepaper, "End-to-end encrypted backup is only supported on the user's primary device"

Third, the white paper states that "we recommend that users who choose end-to-end encrypted backup also deselect WhatsApp from the apps included in device-level backup"

This is because chats stored on a device may be backed up unencrypted to a regular full device backup unless the user excludes that chat from the regular backup

Below are the steps to exclude chat backups from WhatsApp's iCloud full-device backups; as WhatsApp says, "Disabling iCloud auto backup does not enable end-to-end encrypted backups" End-to-end encrypted backups must be set up manually

Finally, if you forget or lose your 64-character encryption key or backup password, your backup will be completely lost You can probably create a new password or encryption key and start over again As long as your old WhatsApp chats are stored on your phone, they will not be completely lost

Categories