CloudKit end-to-end encryption
Many Apple services, listed in the Apple Support article iCloud security overview, use end-to-end encryption with a CloudKit service key protected by iCloud Keychain syncing. For these CloudKit containers, the key hierarchy is rooted in iCloud Keychain and therefore shares the security characteristics of iCloud Keychain—namely, the keys are available only on the user’s trusted devices, and not to Apple or any third party. If access to iCloud Keychain data is lost, the data in CloudKit is reset; and if data is available from the trusted local device, it’s uploaded again to CloudKit. For more information, see Escrow security for iCloud Keychain.
Messages in iCloud
Messages in iCloud, which keeps a user’s entire message history updated and available on all devices, also uses CloudKit end-to-end encryption with a CloudKit service key protected by iCloud Keychain syncing. If the user has enabled iCloud Backup, the CloudKit service key used for the Messages in iCloud container is also backed up to iCloud to allow the user to recover their messages, even if they have lost access to iCloud Keychain and their trusted devices. This iCloud service key is rolled whenever the user turns off iCloud Backup.
iCloud Backup status | Trusted device access | Recovery options for Messages in iCloud |
|---|---|---|
Enabled | User has access to trusted device | Data recovery possible using iCloud Backup, access to a trusted device, or iCloud Keychain recovery. |
Enabled | User has no access to trusted device | Data recovery possible using iCloud Backup or iCloud Keychain recovery. |
Disabled | User has access to trusted device | Data recovery possible using a trusted device or iCloud Keychain recovery. |
Disabled | User has no access to trusted device | Data recovery only possible using iCloud Keychain recovery. |
iCloud Private Relay
iCloud Private Relay helps protect users primarily when browsing the web with Safari, but it also includes all DNS name resolution requests. This helps ensure that no single party, not even Apple, can correlate your IP address and your browsing activity. It does this by using different proxies, an ingress proxy, managed by Apple and an egress proxy, managed by a content provider. To use iCloud Private Relay, the user must be running iOS 15 or later, iPadOS 15 or later, or macOS 12.0.1 or later, and be signed in to their iCloud+ account with their Apple ID. iCloud Private Relay can then be turned on in Settings > iCloud or System Preferences > iCloud.
For more information, see iCloud Private Relay Overview.