The lack of end-to-end encrypted cloud backups has been a problem for Apple devices, leaving only local iTunes and Mac backups for the security-conscious. That is finally changing.
Apple today announced some upcoming security features, including “Advanced Data Protection for iCloud.” The new functionality makes it possible to store most of your iCloud data in the cloud with end-to-end encryption, including device backups, Messages, iCloud Drive, Notes, Photos, Reminders, Safari Bookmarks, Siri Shortcuts, Notes Voice and Wallet. passes Some data, such as health information and passwords in the keychain, is already end-to-end encrypted. When data is end-to-end encrypted, no one but you can access your data, including governments and Apple.
The main exceptions to full encryption at this time are iCloud Mail, Contacts, and Calendar. Apple says this is due to “the need to interoperate with global email, contacts, and calendar systems.” Many people use iCloud Mail with third-party mail clients, which would require additional software or keys to keep working. If that worries you, Proton is the most popular alternative.
The option of encrypted message backups should not be confused with full end-to-end encrypted messaging like you get with Signal. Apple will back up your messages and conversations securely, but since Advanced Data Protection is optional, most people you talk to probably don’t have it enabled. If Apple had a security breach, or couldn’t refuse a government mandate for user data (under the PRISM program, for example), there would still be an unencrypted copy of a given conversation from the other participants.
Advanced Data Protection is not automatically implemented for anyone; you’ll need to activate it yourself when it’s available (before the end of the year in the US). End-to-end encryption requires the generation of a local key, and if you lose your key, Apple can’t help you recover your data.
It’s unfortunate that the highest level of security isn’t implemented for everyone, but at least it’s understandable. Not everyone can or wants to keep up with a separate key to unlock their data, but at least it will soon be an option.