According to Facebook, WhatsApp users can now save encrypted backups in Google Drive and iCloud to keep them safe from prying eyes.
The new functionality was disclosed in a post by the creators. They state that the feature would be gradually added to current WhatsApp versions for Android and iOS.
End-to-end encryption, in principle, ensures that only the sender and recipient can read the messages. Because the key is exclusively accessible to the user, neither WhatsApp nor, in the case of backups, Apple or Google can access the data. The developers detail how they implemented end-to-end encryption for WhatsApp backups in a documentation.
According to them, backups are symmetrically encrypted with a random key generated by the client. Users can protect this key from unauthorized access by using a password they choose or a 64-digit key they produce. Backups will be encrypted and uploaded to Google Drive and iCloud once a user has selected a variant.
If password protection is enabled, the key is stored in the cloud in a vault based on a hardware security module. If a user wants to access his backup and enters his password, the key in the HSM validates it.
The WhatsApp service ChatD, which is in charge of client connections and authentication, is supposed to communicate in encrypted form in order to keep the key in the HSM safe from prying eyes.
If an attacker uses brute-force attacks to guess a password, a protective mechanism is supposed to make the key permanently inaccessible after a certain number of failed access attempts. Those that use a 64-digit key operate locally and avoid verification through WhatsApp's HSM cloud.