WhatsApp proposes to add an extra layer of security to the backups copies, which are stored in iCloud or in Google Drive.
WhatsApp has implemented end-to-end encryption in their backups, and users will be able to enable them by setting a password, which they will have to enter on both Android and iOS.
It is worth noting that this feature will not be activated by default, but rather that each user will have to decide if they want to take advantage of it.
By enabling this new security feature, your backups will be encrypted using a unique, automatically generated 64-digit encryption key. But the key can also be protected with a password chosen by the user. The encryption key will be stored in a physical device called Backup Key Vault; it is based on an HSM or Hardware Security Module. It is a component intended purely and exclusively for the protection of encryption keys.
Thus, then, those who want to access their backups with end-to-end encryption must necessarily use the encryption key in question. If you decide to protect it through Backup Key Vault, there is something important to keep in mind: if the system detects that the password that is entered to reveal the encryption key is incorrect, it will be permanently inaccessible after a minimum number of attempts.
In this way, WhatsApp aims to avoid brute force attacks. Furthermore, Facebook ensures that it will only know that there is a key stored in the HSM, but not the key itself, as described in a whitepaper released by Facebook.
Mark Zuckerberg, CEO of Facebook, said: “WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems.”