CloudKit end-to-end encryption
Many Apple services, listed in the Apple Support article iCloud security overview, use end-to-end encryption with a CloudKit service key protected by iCloud Keychain syncing. For these CloudKit containers, the key hierarchy is rooted in iCloud Keychain and therefore shares the security characteristics of iCloud Keychain — namely, the keys are available only on the user’s trusted devices and not to Apple or any third party. If access to iCloud Keychain data is lost, the data in CloudKit is reset and, if data is available from the trusted local device, it’s uploaded again to CloudKit. For more information, see Escrow security for iCloud Keychain.
Messages in iCloud also uses CloudKit end-to-end encryption with a CloudKit service key protected by iCloud Keychain syncing. If the user has enabled iCloud Backup, the CloudKit service key used for the Messages in iCloud container is backed up to iCloud to allow the user to recover their messages even if they have lost access to iCloud Keychain and their trusted devices. This iCloud service key is rolled whenever the user turns off iCloud Backup.
Situation | User recovery options for CloudKit end-to-end encryption |
|---|---|
Access to trusted device | Data recovery possible using a trusted device or iCloud Keychain recovery. |
No trusted devices | Data recovery only possible using iCloud Keychain recovery. |
iCloud Backup enabled and access to trusted device | Data recovery possible using iCloud Backup, access to a trusted device or iCloud Keychain recovery. |
iCloud Backup enabled and no access to trusted device | Data recovery possible using iCloud Backup or iCloud Keychain recovery. |
iCloud Backup disabled and access to trusted device | Data recovery possible using a trusted device or iCloud Keychain recovery. |
Backup disabled and no trusted devices | Data recovery only possible using iCloud Keychain recovery. |