Facebook explains how WhatsApp end-to-end encrypted backups work

On September 10, 2021, WhatsApp end-to-end encrypted backups for Android and iOS devices is officially announced. This feature allows you to further strengthen and protect the privacy of message backups. The Facebook-owned WhatsApp has provided end-to-end encrypted messages for a while now, although that additional security has not been used for backups in the past.

It also does not apply to the media and relies on encryption services provided by a cloud provider that backs up the service. Those cloud providers can explain them and if there is a need that has arisen, and to know privacy, that is obviously very small.

The company has begun testing hidden end-to-end backups in the beta version of WhatsApp, and now, before its extensive release, Facebook has explained exactly how those encrypted backups work.

Join Sammy Fans on Telegram

How WhatsApp’s end-to-end encrypted backups work

Facebook says it has launched a completely new end-to-end encryption system that works on both iOS and Android. Backups are encrypted with a unique, random key, and the key can be saved manually or by a password.

If the user wants to keep your password, they can access the Hardware-security-module-based Backup Key Vault to retrieve their encryption key and delete the backup.

This vault is responsible for enforcing password verification attempts and providing the key to permanent access after many unsuccessful attempts to recover it. This prevents power attacks, and WhatsApp will never know the key.

Storing keys in the Backup Key Vault

WhatsApp uses an earlier service called ChatD, which manages customer communication and customer authentication. It will apply a protocol that sends backup keys to and from WhatsApp servers, as well as the client and key vault exchange encrypted messages.

Backups are performed as a continuous stream of encrypted data – e.g., the encryption key can be used to decrypt it. Once encrypted, backups can be stored anywhere outside the site, including Google Drive or iCloud.

Facebook says to help address the number of users who rely on WhatsApp, the main vault service will be distributed geographically across all data centers once completed. Facebook also released two graphics that show how end-encryption works when you use a key to delete your backup, or when you use a user password to clear your encryption.

Here’s the encryption and decryption process when using a password

If the account owner uses a password to access their backup, then it will work via the following process to retrieve the key from the key vault.

1. They enter their password, which is encrypted and then verified by the Backup Key Vault.
2. Once the password is verified, the Backup Key Vault will send the encryption key back to the WhatsApp client.
3. With the key in hand, the WhatsApp client can then decrypt the backups.

If the 64-bit key alone is what’s being used, then the user will need to manually save and enter the key themselves.