The Facebook-owned messaging service plans to roll out the feature to both iOS and Android users in the coming weeks.
While users already had the option to back up their message history using cloud-based services, they will soon be able to store their backups end-to-end encrypted (E2EE), WhatsApp has announced.
The introduction of the new feature means that users won’t have to solely rely on the security measures implemented by their cloud-storage providers but can secure their backups including the contents of their chats before they upload them to the cloud.
Developing end-to-end encrypted backups was an incredible technical challenge: an entirely new framework for key and cloud storage.
With encrypted backups they’re only accessible to you, so that neither WhatsApp nor the backup service provider can access or decrypt the messages.
— WhatsApp (@WhatsApp) September 10, 2021
“To enable E2EE backups, we developed an entirely new system for encryption key storage that works with both iOS and Android. With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key. People can choose to secure the key manually or with a user password,” reads WhatsApps’s blog announcing the much-desired feature.
If the user chooses to go with the password the key will then be stored in Backup Key Vault which is built around a component known as hardware security module (HSM) – a hardware device used to protect and store digital encryption keys. In its whitepaper, the Facebook-owned messaging platform describes its HSM-based Backup Key Vault as being akin to safe deposit boxes offered by traditional banks. Once users need to access or restore their backups they can use the password they created to retrieve the key that has been stored in the HSM-based Backup Key Vault and proceed to decrypt their backup.
“The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a limited number of unsuccessful attempts to access it. These security measures provide protection against brute-force attempts to retrieve the key. WhatsApp will know only that a key exists in the HSM. It will not know the key itself,” the messaging platform said, elaborating on the safety measures it has put in place.
The alternative to using a password for accessing and decrypting their backups is using a 64-digit encryption key. However, memorizing a 64-digit encryption key is easier said than done, so users will probably have to either keep a record of it somewhere (which isn’t really a safe choice) or resort to storing it in a password manager.
WhatsApp said that the end-to-end encrypted backups should be rolled out to both iOS and Android over the upcoming weeks.