Advanced data protection on iCloud. What happens if all trusted devices get stolen?

[kepano]

As I understand it, with "Advanced Data Protection" the encryption keys are stored on the "Trusted Devices" (and no longer at Apple). Can anyone tell me what happens if I have a break-in or a fire and all my Trusted Devices including the devices of my "recovery contact" are gone? Do I then have any chance of accessing my iCloud data, as neither I nor Apple will have the encryption keys?

 

[chown33]

See here:

How to turn on Advanced Data Protection for iCloud - Apple Support

Advanced Data Protection for iCloud offers our highest level of cloud data security and protects the majority of your iCloud data using end-to-end encryption.

support.apple.com

You should setup a recovery contact and a recovery key.

The search terms I used to find that page are: apple advanced data protection recovery

 

[kepano]

Thank you. Apple doesn't say you need both, but at least one. I'm not a big fan of recovery keys because it's difficult to keep them protected, so I prefer the recovery contact only.

My question is not answered in the Apple article; instead Apple writes: "If you ever lose access to your account, you'll need to use one of your account recovery methods - your device passcode or password, your recovery contact, or recovery key - to recover your iCloud data." So no mention of the loss of Trusted Devices being a problem. I see a certain contradiction here with the statement that the keys are only stored on the "Trusted Devices". Assuming these trusted devices are gone, is there any way to get these keys from somewhere else? That is the question that interests me.

 

[chown33]

... Assuming these trusted devices are gone, is there any way to get these keys from somewhere else? That is the question that interests me.

That appears to be what the recovery key does.

The description lists only 2 other elements used with a recovery key:
1. a trusted phone number
2. an Apple device.

I think it's reasonable to conclude that neither of those has your keys on it, which leaves only the recovery key.

 

[kepano]

Not sure. As per my understanding:

The iCloud recovery key is an alternative to the account recovery process; both allow you to access the iCloud account or change the iCloud password.

The said encryption keys are keys for encrypting files e.g. Photos. They were previously stored on Apple's servers and, according to Apple, are now stored on the Trusted Devices when using Advanced Data Protection. These are not the same as the iCloud recovery keys, which are not stored on the trusted devices.

 

[chown33]

I'm just going by the description given in the referenced page, and applying basic logic.

If you have a recovery key, and the only additional things needed to recover one's iCloud data are a trusted phone number and an Apple device that isn't already a trusted device, then where else could the ADP keys be except in the recovery key?

If the description and procedure given in the reference are incorrect or incomplete, then that's a problem with the referenced description. That's something you should take up with Apple, perhaps by submitting a bug report, or sending feedback to Apple (search terms: apple feedback).

The only way I know of to learn if the procedure for using a recovery key is correct and complete is to try it. Of course, this risks losing the data in one's iCloud storage if there is a problem, so it might be prudent to do the test on a new unique AppleID created specifically for the test, and only using resources (photos, files, whatever) that one already has a backup of, or it doesn't matter if they're lost.

 

[kepano]

Thank you very much for your answer. Whatever the correct assessment of the situation is (it is not clear to either of us), I think that Apple should clarify this critical issue openly somewhere. In other words, if I lose all my trusted devices and I don't have a recovery code (but I do have a recovery contact), can I restore my iCloud data or not? At the end of the day, it's about nothing more or less than the potential loss of all iCloud data, and the loss of all devices can happen quickly, e.g. in case of a house fire (and in this case, the recovery code would be gone, too, if it was stored as paper at home).

 

[SpiderOnly]

Has anyone gotten to the bottom of kepano's question? I can't even find this (or a similar) question raised anywhere but his post here.

 

[FreakinEurekan]

As I understand it, with "Advanced Data Protection" the encryption keys are stored on the "Trusted Devices" (and no longer at Apple). Can anyone tell me what happens if I have a break-in or a fire and all my Trusted Devices including the devices of my "recovery contact" are gone? Do I then have any chance of accessing my iCloud data, as neither I nor Apple will have the encryption keys?

Losing the trusted devices (all of them) isn’t a problem, as long as you still have your Trusted Phone Number and either a recovery contact or recovery key. Note that the Trusted Phone Number might be on one of the trusted devices (iPhone) so to avoid having to go get a new phone before you can access anything, be sure to set up a secondary Trusted Phone Number that is NOT one of your devices (I use my mom’s number, since my wife and I are often together so could both lose our iPhones). Mom is also my recovery contact, for the same reason.

The upshot is - ADP is far more secure, but requires far more planning/organization. If you’re not the type to keep up with organization - don’t use ADP.

 

[SpiderOnly]

Losing the trusted devices (all of them) isn’t a problem, as long as you still have your Trusted Phone Number and either a recovery contact or recovery key. Note that the Trusted Phone Number might be on one of the trusted devices (iPhone) so to avoid having to go get a new phone before you can access anything, be sure to set up a secondary Trusted Phone Number that is NOT one of your devices (I use my mom’s number, since my wife and I are often together so could both lose our iPhones). Mom is also my recovery contact, for the same reason.

The upshot is - ADP is far more secure, but requires far more planning/organization. If you’re not the type to keep up with organization - don’t use ADP.

(Supposing I lost all my trusted devices) If turning on ADP transfers the iCloud encryption keys from the Apple servers to my trusted devices, how can I decrypt my end-to-end encrypted data with ADP on and no trusted devices? I understand that I can recover access to my account using one of the said methods, but what remains unclear is how I can use those methods to decrypt my data, since the encryption keys were lost with my trusted devices. If my recovery key were required to decrypt this data, I’d understand, but Apple states that “if you lose access to your account, only you can recover this data, using your device passcode or password, recovery contact, or recovery key.” That “or” is what is confusing me. So, even though the keys were lost with the trusted devices, I can still decrypt the data with my passcode or password, or a recovery contact? I don’t have the keys though. Can anyone explain?

 

[NoBoMac]

Here's the Platform Security Guide's page on this:

Advanced Data Protection for iCloud

iCloud uses best-in-class security technologies and employs strict policies to protect user data, including end-to-end encryption for 14 data categories such as Health, passwords in iCloud Keychain, and more.

support.apple.com

My $0.02 quick scan/interpretation: it seems to work much like FileVault, M/T2 Mac encryption. There is a master key that is encrypted via a device-generated key and saved in the iCloud Keychain. The recovery contact/key works like FileVault's recovery key in that the master key is encrypted via the recovery contact meta-data (phone number plus other info?) or actual recovery key and save in iCloud Keychain.

So when requesting access to the data and do not have a trusted device, falls back to asking for last resort option of make a call or ask for the key, fetch that entry from Keychain, and see if a successful decrypt of the master key.

 

[SpiderOnly]

Here's the Platform Security Guide's page on this:

Advanced Data Protection for iCloud

iCloud uses best-in-class security technologies and employs strict policies to protect user data, including end-to-end encryption for 14 data categories such as Health, passwords in iCloud Keychain, and more.

support.apple.com

My $0.02 quick scan/interpretation: it seems to work much like FileVault, M/T2 Mac encryption. There is a master key that is encrypted via a device-generated key and saved in the iCloud Keychain. The recovery contact/key works like FileVault's recovery key in that the master key is encrypted via the recovery contact meta-data (phone number plus other info?) or actual recovery key and save in iCloud Keychain.

So when requesting access to the data and do not have a trusted device, falls back to asking for last resort option of make a call or ask for the key, fetch that entry from Keychain, and see if a successful decrypt of the master key.

Thanks for posting a link to the Platform Security Guide. It definitely provided some useful clarifying information. I wish it described the recovery process as well. You’re probably right in that there must be some data tied to the recovery contact that facilitates the decryption, otherwise Apple wouldn’t specify the OR condition.

 

[NoBoMac]

Recovery process: https://support.apple.com/guide/security/account-recovery-contact-security-secafa525057/web

 

[SpiderOnly]

Recovery process: https://support.apple.com/guide/security/account-recovery-contact-security-secafa525057/web

Thanks NoBoMac!

 

[willdude]

Bumping this old thread because I'm having these same questions as well, namely:

1. If all my devices are stolen or destroyed, how can I log into my iCloud device on a new account? Is there a way around the "approve on a signed-in device" requirement?
2. Will I be able to recover my ADP-encrypted iCloud data?

This page suggests creating a recovery key and writing it down/printing it out, keeping it secure. However, that page states: "To change your Apple ID password, you need a trusted device (with a passcode or password) or your recovery key." To me, that indicates that if someone steals your printed recovery key, they can reset your password and gain access to your iCloud account. This seems less secure, just having one physical thing (the printout) which can be used to totally claim ownership of your iCloud account?