Facebook-owned popular instant messaging platform WhatsApp, on Friday announced that it will let more than 2 billion users fully encrypt the backups of their messages.
The plan, which WhatsApp has detailed in a white paper before rolling out to users on iOS and Android in the coming weeks, is meant to secure the backups WhatsApp users already send to either Google Drive or Apple’s iCloud, making them unreadable without an encryption key, ANI reported.
Users who will choose to opt into encrypted backups will be asked to save a 64-digit encryption key or create a password that is tied to the key.
Facebook CEO Mark Zuckerberg said in a statement, “WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems.”
When a user creates a password tied to their account’s encryption key, WhatsApp will store the associated key in a physical hardware security module, or HSM that is maintained by Facebook and can be unlocked only when the correct password is entered in WhatsApp.
An HSM acts like a safety deposit box for encrypting and decrypting digital keys. Once unlocked with the associated password in WhatsApp, the hardware security module (HSM) provides the encryption key that in turn decrypts the account’s backup that is stored on either Apple or Google’s servers.
A key store in WhatsApp’s HSM vaults will become permanently inaccessible if repeated password attempts are made. The hardware itself is located in data centers owned by Facebook around the world to protect from internet outages.
This system is designed to ensure that a user’s backup is only accessible by them. WhatsApp will only know that a key exists in an HSM, not the key itself or the associated password to unlock it.
The move by WhatsApp comes as several governments around the world like India are pushing the instant messaging platform to break encryption, to get to the source of messages that spread misinformation, hate speech, and such content.