WhatsApp is one of the most popular instant messaging platform in the world. The Facebook-owned app will now let its over 2 billion users encrypt the backups of their messages. WhatsApp detailed the plan in a white paper, where it said that encrypted backups are rolling out to iOS and Android users of WhatsApp in the coming weeks. The encrypted backup is meant to secure the backups WhatsApp users already send to their Google Drive of iCloud. This will make the backups unreadable without an encryption key.
WhatsApp users who opt into ecrypted backups will be asked to save a 64-digit encryption key or create a password that is tied to the key. “WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems," Facebook CEO Mark Zuckerberg said in a statement.
When a user creates a password tied to their account’s encryption key, WhatsApp will store the associated key in a physical hardware security module, or HSM that is maintained by Facebook and can be unlocked only when the correct password is entered in WhatsApp. An HSM acts like a safety deposit box for encrypting and decrypting digital keys. Once unlocked with the associated password in WhatsApp, the hardware security module (HSM) provides the encryption key that in turn decrypts the account’s backup that is stored on either Apple or Google’s servers.
A key stores in WhatsApp’s HSM vaults will become permanently inaccessible if repeated password attempts are made. The hardware itself is located in data centers owned by Facebook around the world to protect from internet outages. This system is designed to ensure that a user’s backup is only accessible by them. WhatsApp will only know that a key exists in a HSM, not the key itself or the associated password to unlock it.
The move by WhatsApp comes as several governments around the world like India are pushing the instant messaging platform to break encryption, in order to get to the source of messages that spread misinformation, hate speech, and such content.