How WhatsApp is enabling end-to-end encrypted backups

For years, in order to safeguard the privacy of people’s messages, WhatsApp has provided end-to-end encryption by default ​​so messages can be seen only by the sender and recipient, and no one in b…

Slavik Krassovsky
4 min readadvanced
--
View Original

Overview

WhatsApp is introducing end-to-end encrypted backups to enhance user privacy, ensuring that neither WhatsApp nor cloud service providers can access user backups or encryption keys. This new feature will allow users to secure their backups with a unique encryption key or a user-defined password, utilizing a Backup Key Vault based on hardware security modules (HSM).

What You'll Learn

1

How to enable end-to-end encrypted backups for WhatsApp

2

Why using a hardware security module (HSM) enhances backup security

3

When to choose a user password versus a unique encryption key for backups

Prerequisites & Requirements

  • Understanding of encryption concepts and cloud storage
  • Familiarity with iOS and Android platforms(optional)

Key Questions Answered

How does WhatsApp's end-to-end encrypted backup system work?
WhatsApp's end-to-end encrypted backup system uses a unique, randomly generated encryption key that can be secured with a user password. The key is stored in a Backup Key Vault, which utilizes hardware security modules (HSM) to ensure that WhatsApp and the backup service provider cannot access the key or the backup itself.
What happens if a user forgets their backup password?
If a user forgets their backup password, the encryption key stored in the HSM-based Backup Key Vault will become permanently inaccessible after a limited number of unsuccessful password attempts, preventing brute-force attacks.
What is the role of the Backup Key Vault in WhatsApp's backup process?
The Backup Key Vault is responsible for securely storing encryption keys and enforcing password verification attempts. It ensures that the keys are only accessible to authorized users and protects against unauthorized access.
How does WhatsApp ensure the availability of the Backup Key Vault?
WhatsApp ensures the availability of the Backup Key Vault by geographically distributing the service across multiple data centers. This design helps maintain service continuity in case of a data center outage.

Key Statistics & Figures

User base
over 2 billion people
This statistic highlights the scale at which WhatsApp operates and the importance of secure backup solutions for a large user base.

Technologies & Tools

Security
Hardware Security Module (hsm)
Used for securely storing encryption keys in the Backup Key Vault.
Cloud Storage
Google Drive
One of the cloud-based services where WhatsApp backups can be stored.
Cloud Storage
Icloud
Another cloud-based service where WhatsApp backups can be stored.

Key Actionable Insights

1
Implementing end-to-end encrypted backups can significantly enhance user privacy and data security in WhatsApp.
As users become more concerned about data privacy, offering encrypted backups can improve user trust and satisfaction.
2
Utilizing a hardware security module (HSM) for key storage is a best practice for safeguarding sensitive encryption keys.
HSMs provide a high level of security against unauthorized access and are crucial for applications that require stringent data protection measures.
3
Educating users on the importance of choosing a strong password for their backups can prevent data loss.
Users should be made aware that forgetting their password could lead to permanent loss of access to their encrypted backups.

Common Pitfalls

1
Users may forget their backup password, leading to permanent inaccessibility of their encrypted backups.
To avoid this, users should be encouraged to use memorable yet secure passwords and consider writing them down in a safe place.

Related Concepts

End-to-end Encryption
Data Privacy And Security
Cloud Storage Solutions
Backup Strategies