Security of iCloud Backup
iCloud backs up information—including device settings, app data, photos, and videos in the Camera Roll, and conversations in the Messages app—daily over Wi-Fi. iCloud Backup occurs only when the device is locked, connected to a power source, and has Wi-Fi access to the internet. Mindful of the storage encryption used in iOS and iPadOS, iCloud Backup is designed to keep data secure while allowing incremental, unattended backup and restoration to occur. By default, the iCloud Backup service key is securely backed up to iCloud Hardware Security Modules in Apple data centers, and is part of the available-after-authentication data category. For users who turn on Advanced Data Protection for iCloud, the iCloud Backup service key is protected with end-to-end encryption, and available only to users on their trusted devices.
When files are created in Data Protection classes that aren’t accessible when the device is locked, their per-file keys are encrypted, using the class keys from the iCloud Backup keybag and backing the files up to iCloud in their original, encrypted state. All files are encrypted during transport and, when stored, encrypted using account-based keys, as described in CloudKit encryption.
The iCloud Backup keybag contains asymmetric (Curve25519) keys for Data Protection classes that aren’t accessible when the device is locked. The backup set is stored in the user’s iCloud account and consists of a copy of the user’s files and the iCloud Backup keybag. The iCloud Backup keybag is protected by a random key, which is also stored with the backup set. The user’s iCloud password isn’t used for encryption, so changing the iCloud password won’t invalidate existing backups.
On restore, the backed-up files, iCloud Backup keybag, and the key for the keybag are retrieved from the user’s iCloud account. The iCloud Backup keybag is decrypted using its key, then the per-file keys in the keybag are used to decrypt the files in the backup set, which are written as new files to the file system, thus reencrypting them according to their Data Protection class.
The following content is backed up using iCloud Backup:
Records for purchased music, movies, TV shows, apps, and books. A user’s iCloud Backup includes information about purchased content present on the user’s device, but not the purchased content itself. When the user restores from an iCloud Backup, their purchased content is automatically downloaded from the iTunes Store, the App Store, the Apple TV app, or Apple Books. Some types of content aren’t downloaded automatically in all countries or regions, and previous purchases may be unavailable if they have been refunded or are no longer available in their respective store. Full purchase history is associated with a user’s Apple Account.
Photos and videos on a user’s devices. Note that if a user turns on iCloud Photos in iOS 8.1, iPadOS 13.1, or OS X 10.10.3, or later, their photos and videos are already stored in iCloud, so they aren’t included in the user’s iCloud Backup.
Contacts, calendar events, reminders, and notes
Device settings
App data
Home Screen and app organization
HomeKit configuration
Medical ID data
Voice Memos password (if necessary, requires the physical SIM card that was in use during backup)
Message, Apple Messages for Business, text (SMS), and MMS messages (if necessary, requires the physical SIM card that was in use during backup)
iCloud Backup is also used to back up the local device keychain, encrypted with a key derived from the Secure Enclave UID root cryptographic key of the device. This key is unique to the device and not known to Apple. This allows the database to be restored only to the same device from which it originated, and it means no one else, including Apple, can read it. For more information, see Secure Enclave.
Messages in iCloud
Messages in iCloud keeps a user’s entire message history updated and available on all devices.
With standard data protection, Messages in iCloud is end-to-end encrypted when iCloud Backup is turned off. When iCloud Backup is turned on, the backup includes a copy of the Messages in iCloud encryption key so Apple can help the user recover their messages even if they have lost access to iCloud Keychain and their trusted devices. If the user turns off iCloud Backup, a new key is generated on their device to protect future Messages in iCloud. The new key is stored only in iCloud Keychain, only accessible to the user on their trusted devices, and new data written to the container can’t be decrypted with the old container key.
With Advanced Data Protection, Messages in iCloud is always end-to-end encrypted. When iCloud Backup is turned on, everything inside it is end-to-end encrypted, including the Messages in iCloud encryption key. The iCloud Backup service key, as well as the Messages in iCloud container key are both rolled when the user turns on Advanced Data Protection. For more information, see the Apple Support article iCloud data security overview.