I’ve read that, but it’s a bit confusing. Somehow the server rotates the encryption keys but that shouldn’t be possible if the keys are stored in the iCloud Keychain which is E2E encrypted. Unless it’s only the decryption keys which are protected.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Advanced data protection
- Thread starter whsbuss
- Start date
- Sort by reaction score
I’ve read that, but it’s a bit confusing. Somehow the server rotates the encryption keys but that shouldn’t be possible if the keys are stored in the iCloud Keychain which is E2E encrypted. Unless it’s only the decryption keys which are protected.
The following support article will give you some insight.
"The user can turn off Advanced Data Protection at any time. If they decide to do so:
1. The user’s device first records their new choice in iCloud Keychain participation metadata, and this setting is securely synchronized to all their devices.
2. The user’s device securely uploads the service keys for all available-after-authentication services to the iCloud HSMs in Apple data centers. This never includes keys for services that are end-to-end encrypted under standard data protection, such as iCloud Keychain and Health.
The device uploads both the original service keys, generated before Advanced Data Protection had been turned on, and the new service keys that were generated after the user turned on the feature. This makes all data in these services accessible after authentication and returns the account to standard data protection, where Apple can once again help the user recover most of their data should they lose access to their account."
Advanced Data Protection for iCloud
iCloud uses best-in-class security technologies and employs strict policies to protect user data.
The way I read it, after the key rotation, any data that was encrypted with keys Apple previously had access to needs to be encrypted again (and probably uploaded again). I don't see any other way it could work since Apple says they no longer have access to the old data or the ability to decrypt the old data.
My understanding as to how this works is that there are multiple encryption and decryption keys stored in the iCloud Keychain. Basically each device has its own keys and it shares those with all the other devices on your iCloud account so things encrypted on one device can be decrypted on others.
When a device is removed from your iCloud account, it loses access to the decryption keys. Likewise when a device is added it gains access.
I just recalled that the way this used to work is the decryption keys weren’t actually stored in the iCloud Keychain, but copies were on all the devices. That would make more sense since you can’t decrypt the Keychain without the keys.
Even with ADP available, I still think it is better not to keep your device backups in the cloud seeing how the user has no direct access to said backup and Apple has immediate access again if ADP is ever turned off. If a person wants to keep their device backups in iCloud, I think it is best to do an iMazing backup, encrypt the backup folder with Cryptomator, and then one can store the backup safely in iCloud. If the backup is ever needed, and one is not available locally, one can download the backup from the cloud and decrypt. Granted, if one gets locked out of the Apple account, the iMazing encrypted backup that is encrypted again with Cryptomator is of no use.
iPhone X is actually included. It works fine on mine.
I tested this yesterday with my old iPhone X:
- iPhone was on iOS 15
- I removed it from my iCloud account
- I enabled ADP
- I tried to re-login to iCloud with iPhone X on iOS 15, but it didn't work. I got an obscure error message that a login is not possible
But what you could do is create a second iCloud account for all of the legacy devices and add that to your family for Home Kit and storage.
After testing the above scenario, I also...
- Upgraded my iPhone X to iOS 16.2
- Logged into my iCloud account that had ADP enabled
Based on that, I think each device encrypts all the "encryption keys" using the device's passcode and then uploads those encrypted "encryption keys" to the iCloud servers.
Since they are protected by the iOS passcode (or macOS password), Apple doesn't have access to them.
When you add a new device, it can download the encrypted "encryption keys" from your old device and if you can enter the correct passcode of the old device, you can decrypt them.
I assume, the new device then encrypts the "encryption keys" with its own passcode/password and then uploads them to iCloud so that it can be used for recovery by other new devices in the future.
I was also offered the option to use my recovery key when I selected "I can't remember any of my previous device passcodes/passwords" option.
So the conclusion here is that the security of all encrypted data depends on how strong the passcodes and passwords of all your devices are.
If one of your devices uses a weak passcode/password, then it could make it possible for Apple or law enforcement to bruteforce the password protecting the "encryption keys".
So, I will probably switch from a passcode to a passphrase on my iPhone.
I understand, but correct me if I'm wrong but if your account was locked you would be unable to login on your device, so how would you access KeyChain secure notes? Same with USB stick if you only have a Mac.
And then if you enable the ADP is your Mac locked out of that Apple ID forever? At least until you disable ADP?
It doesn't need to be that complicated. Your data is already encrypted, and Apple has the keys. When you turn on ADP, Apple puts your keys into your keychain and deletes their copies. Nothing needs to be re-encrypted. The trick is how they get the keys into your encrypted keychain. I don't know how that happens.
ADP only encrypts data synced with iCloud so you can still log into your machine and access all local files. You just wouldn't have access to iCloud data, unless I'm not understanding what you're saying.
"Second, the device initiates the removal of the available-after-authentication service keys from Apple data centers. As these keys are protected by iCloud HSMs, this deletion is immediate, permanent, and irrevocable. After the keys are deleted, Apple can no longer access any of the data protected by the user’s service keys."
I don't see how replacing the existing Apple managed key with a user managed key allows anyone to continue accessing the pre-ADP uploaded data. I suspect that the important part I am missing is the use of what Apple calls Service Keys.
Here’s a blog about how iCloud Keychain syncing used to work back when you could choose your own iCloud Keychain code. I don’t know if it’s still accurate since you can’t do that anymore. I think they use the device passcode now instead of an iCloud Keychain code in which case most of the document is probably still accurate.
Last edited:
So I did some digging and I think Apple is using Envelope Encryption. If that’s the case then the key that Apple has stored aren’t the keys that decrypt your iCloud data, but the keys that decrypt the real decryption keys.
If that’s the case then all that would need to happen is Apple decrypts the “data keys” with their decryption keys and re-encrypt them with your new key(s) (one for each trusted device, recovery contact and recovery key). At that point they can’t decrypt your data anymore even though the files haven’t been re-encrypted.
That’s what Amazon’s AWS uses and I’m pretty sure Apple uses AWS for iCloud storage (or at least they used to).
Financial Services Industry Lens
docs.aws.amazon.com
Last edited:
Wow that’s a great article to better explain ADP. Still with my MBP not able to upgrade gaining access to protected data won’t happen. There are many times where new photos taken would have to be emailed instead of sync’d
So if that is the case why can’t previous OS just allow these keys to be stored. If E2E is required then Apple is forcing you to buy new hardware.
Good information in all of this thread but now my brain hurts 😂
Does anyone know how long this actually takes to take effect once activated? My understanding is it needs to re-encrypt everything with a new encryption key.
I’m not sure how it’s supposed to do that without downloading all the data to one of your devices. The alternative is uploading the encryption key to a server but that seems like that would defeat the purpose of E2E encryption.
Apple has a write up of what happens when you enable ADP, but it’s a little confusing. It makes it sounds like only newly uploaded data is E2E encrypted.
Advanced Data Protection for iCloud
iCloud uses best-in-class security technologies and employs strict policies to protect user data.support.apple.com
Apple describes that they do a key rotation operation. I seriously doubt that everything has to be reuploaded for that. They probably use techniques like "hybrid encryption" (where a key encrypts another key) so that you don't need to reencrypt everything.
I enabled it, it was quick.
One thing that’s not exactly clear is what happens if you share something like a Note or an iCloud file with someone who doesn’t have ADP on.
The support document says if you share with everyone a key to decrypt the data is uploaded to Apple, but it also says you can only share with people with ADP on. As such it sounds like with ADP on you can either share with everyone unencrypted or individuals with E2E encryption enabled. I haven’t tried it so I don’t know how it actually works.
I’d also like to know if enabling a recovery key “overrides” everything else making that the only recovery mechanism that works. For now I’ve used recovery contacts.
One thing that’s not exactly clear is what happens if you share something like a Note or an iCloud file with someone who doesn’t have ADP on.
The support document says if you share with everyone a key to decrypt the data is uploaded to Apple, but it also says you can only share with people with ADP on. As such it sounds like with ADP on you can either share with everyone unencrypted or individuals with E2E encryption enabled. I haven’t tried it so I don’t know how it actually works.
I’d also like to know if enabling a recovery key “overrides” everything else making that the only recovery mechanism that works. For now I’ve used recovery contacts.
I finally got this to turn on. There seems to be a bug in the recovery key method. I added my other Apple ID as a recovery contact and still got an error. Once I turned off the recovery key (which never said on even though it was) Advanced Data Protection turned on.
Where is it stated you can only share with people with ADP on?
At present I have ADP enabled and my wife who has not yet updated to the latest OS updates does not. We have shared notes and lists and I have just confirmed that changes to a shared Reminders list still work for both of us.
It doesn’t specifically say that, but it doesn’t say what happens either. The document says if all shared participants have ADP enabled, then the shared content is E2E encrypted. It then says certain shared items are never E2E encrypted. I guess if you read between the lines, anything you share with someone who doesn’t have ADP is not E2E encrypted, but that’s not explicitly stated.
iCloud data security overview - Apple Support
iCloud uses strong security methods, employs strict policies to protect your information, and leads the industry in using privacy-preserving security technologies like end-to-end encryption for your data.
Thanks, I had forgotten about that other ADP page. I've been going off of the following text which seems a bit more descriptive. My assumption is that ADP encrypted data that is shared with non-ADP users is done under the Standard Data Protection model. With my limited testing with my wife we continue to be able to update a shared Reminders list without issue just like before I enabled ADP for my account.It doesn’t specifically say that, but it doesn’t say what happens either. The document says if all shared participants have ADP enabled, then the shared content is E2E encrypted. It then says certain shared items are never E2E encrypted. I guess if you read between the lines, anything you share with someone who doesn’t have ADP is not E2E encrypted, but that’s not explicitly stated.
iCloud data security overview - Apple Support
iCloud uses strong security methods, employs strict policies to protect your information, and leads the industry in using privacy-preserving security technologies like end-to-end encryption for your data.
Advanced Data Protection for iCloud
I think reminders is part of the calendar platform which is not ADP capable. Try sharing a photo and see what happens. I’m still delayed till February so I can’t