Facebook has announced plans to further improve WhatsApp privacy and security by allowing users to encrypt their message history backups in the cloud.
While a user can easily turn on WhatsApp on any new device, given that accounts are phone number-based, conversation history isn’t available unless a backup was created on the previous device. Users can set time intervals for the creation of local backups and can also choose to store those in the cloud, for fast access.
While conversations in WhatsApp have been end-to-end encrypted for years (with only the sender and recipient being able to view them), backups have been stored in the cloud unencrypted, albeit secured by the cloud services providers.
By adding an end-to-end encryption option for backups stored in the cloud, Facebook essentially ensures that no one but the account owner can access these backups and their backup encryption key.
Facebook says it came up with a new system for storing encryption keys to make the end-to-end encrypted backups feature possible: a unique, randomly generated encryption key is used to encrypt the backup and the user can opt to secure that key manually or with a password.
“When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) — specialized, secure hardware that can be used to securely store encryption keys,” Facebook explains.
The account owner can access the backup either using the encryption key or their personal password to retrieve their encryption key and decrypt the backup. Once the user provides the password, the Backup Key Vault sends the encryption key to the WhatsApp client, which can then decrypt the backup.
If the user chooses to secure the key on their own, they would need to manually enter the encryption key themselves to access the backup’s content.
The HSM-based Backup Key Vault will enforce password verification attempts and will render the key permanently inaccessible after a specific number of unsuccessful access attempts, to ensure that attackers can’t brute-force their way to the key.
Both iOS and Android users will get the option of end-to-end encrypted backups in the coming weeks.
“WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems,” Mark Zuckerberg, CEO of Facebook, commented.
Related: Ireland Fines WhatsApp 225M Euros for Breaching EU Privacy Laws
Related: Consumer Group Lodges EU Complaint Against WhatsApp