Advanced Data Protection for iCloud
Advanced Data Protection for iCloud is an optional setting that offers Apple’s highest level of cloud data security. When a user turns on Advanced Data Protection, their trusted devices retain sole access to the encryption keys for the majority of their iCloud data, thereby protecting it with end-to-end encryption. For users who turn on Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises from 14 to 23 and includes iCloud Backup, Photos, Notes, and more.
Note: This feature may not be available in all countries or regions.
Conceptually, Advanced Data Protection is simple: All CloudKit Service keys that were generated on device and later uploaded to the available-after-authentication iCloud Hardware Security Modules (HSMs) in Apple data centers are deleted from those HSMs and instead kept entirely within the account’s iCloud Keychain protection domain. They are handled like the existing end-to-end encrypted service keys, which means Apple can no longer read or access these keys.
Advanced Data Protection also automatically protects CloudKit fields that third-party developers choose to mark as encrypted, and all CloudKit assets.
Enabling Advanced Data Protection
When the user turns on Advanced Data Protection, their trusted device performs two actions: First, it communicates the user’s intent to turn on Advanced Data Protection to their other devices that participate in end-to-end-encryption. It does so by writing a new value, signed by device-local keys, into its iCloud Keychain device metadata. Apple servers can’t remove or modify this attestation while it gets synchronized with the user’s other devices.
Second, the device initiates the removal of the available-after-authentication service keys from Apple data centers. As these keys are protected by iCloud HSMs, this deletion is immediate, permanent, and irrevocable. After the keys are deleted, Apple can no longer access any of the data protected by the user’s service keys. At this time, the device begins an asynchronous key rotation operation, which creates a new service key for each service whose key was previously available to Apple servers. If the key rotation fails, due to network interruption or any other error, the device retries the key rotation until it’s successful.
After the service key rotation is successful, new data written to the service can’t be decrypted with the old service key. It’s protected with the new key which is controlled solely by the user’s trusted devices, and was never available to Apple.
Advanced Data Protection and iCloud.com web access
When a user first turns on Advanced Data Protection, web access to their data at iCloud.com is automatically turned off. This is because iCloud web servers no longer have access to the keys required to decrypt and display the user’s data. The user can choose to turn on web access again, and use the participation of their trusted device to access their encrypted iCloud data on the web.
After turning on web access, the user must authorize the web sign-in on one of their trusted devices each time they visit iCloud.com. The authorization “arms” the device for web access. For the next hour, this device accepts requests from specific Apple servers to upload individual service keys, but only those corresponding to an allow list of services normally accessible on iCloud.com. In other words, even after the user authorizes a web sign-in, a server request is unable to induce the user’s device to upload service keys for data that isn’t intended to be viewed on iCloud.com, (such as Health data or passwords in iCloud Keychain). Apple servers request only the service keys needed to decrypt the specific data that the user is requesting to access on the web. Every time a service key is uploaded, it is encrypted using an ephemeral key bound to the web session that the user authorized, and a notification is displayed on the user’s device, showing the iCloud service whose data is temporarily being made available to Apple servers.
Preserving the user’s choices
The Advanced Data Protection and iCloud.com web access settings can be modified only by the user. These values are stored in the user’s iCloud Keychain device metadata and can only be changed from one of the user’s trusted devices. Apple servers can’t modify these settings on behalf of the user, nor can they roll them back to a previous configuration.
Security implications of sharing and collaboration
In most cases, when users share content to collaborate with each other—for example, with shared Notes, shared Reminders, shared folders in iCloud Drive, or iCloud Shared Photo Library—and all the users have Advanced Data Protection turned on, Apple servers are used only to establish sharing but don’t have access to the encryption keys for the shared data. The content remains end-to-end encrypted and accessible only on participants’ trusted devices. For each sharing operation, a title and representative thumbnail may be stored by Apple with standard data protection to show a preview to the receiving users.
Selecting the “anyone with a link” option when enabling collaboration will make the content available to Apple servers under standard data protection, as the servers need to be able to provide access to anyone who opens the URL.
iWork collaboration and the Shared Albums feature in Photos don’t support Advanced Data Protection. When users collaborate on an iWork document, or open an iWork document from a shared folder in iCloud Drive, the encryption keys for the document are securely uploaded to iWork servers in Apple data centers. This is because real-time collaboration in iWork requires server-side mediation to coordinate document changes between participants. Photos added to Shared Albums are stored with standard data protection, as the feature permits albums to be publicly shared on the web.
Disabling Advanced Data Protection
The user can turn off Advanced Data Protection at any time. If they decide to do so:
1. The user’s device first records their new choice in iCloud Keychain participation metadata, and this setting is securely synchronized to all their devices.
2. The user’s device securely uploads the service keys for all available-after-authentication services to the iCloud HSMs in Apple data centers. This never includes keys for services that are end-to-end encrypted under standard data protection, such as iCloud Keychain and Health.
The device uploads both the original service keys, generated before Advanced Data Protection had been turned on, and the new service keys that were generated after the user turned on the feature. This makes all data in these services accessible after authentication and returns the account to standard data protection, where Apple can once again help the user recover most of their data should they lose access to their account.
iCloud data not covered by Advanced Data Protection
Because of the need to interoperate with the global email, contacts, and calendar systems, iCloud Mail, Contacts, and Calendar aren’t end-to-end encrypted.
iCloud stores some data without the protection of user-specific CloudKit service keys, even when Advanced Data Protection is turned on. CloudKit Record fields must be explicitly declared as “encrypted” in the container’s schema to be protected, and reading and writing encrypted fields requires the use of dedicated APIs. Dates and times when a file or object was modified are used to sort a user’s information, and checksums of file and photo data are used to help Apple de-duplicate and optimize the user’s iCloud and device storage—all without having access to the files and photos themselves. Details about how encryption is used for specific data categories is available in the Apple Support article iCloud data security overview.
Decisions such as the use of checksums for data de-duplication—a well-known technique called convergent encryption—were part of the original design of iCloud services when they launched. This metadata is always encrypted, but the encryption keys are stored by Apple with standard data protection. To continue to strengthen security protections for all users, Apple is committed to ensuring more data, including this kind of metadata, is end-to-end encrypted when Advanced Data Protection is turned on.
Advanced Data Protection requirements
The requirements to turn on Advanced Data Protection for iCloud include the following:
The user’s account must support end-to-end encryption. End-to-end encryption requires two-factor authentication for their Apple Account and a passcode or password set on their trusted devices. For more information, see the Apple Support article Two-factor authentication for Apple Account.
Devices where the user is signed in with their Apple Account must be updated to iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, or later, and the latest version of iCloud for Windows. This requirement prevents a previous version of iOS, iPadOS, macOS, tvOS, or watchOS from mishandling the newly-created service keys by re-uploading them to the available-after-authentication HSMs in a misguided attempt to repair the account state.
The user must set up at least one alternative recovery method—one or more recovery contacts or a recovery key—which they can use to recover their iCloud data if they lose access to their account.
If the recovery methods fail, such as if the recovery contact’s information is out of date, or the user forgets them, Apple can’t help recover the user’s end-to-end encrypted iCloud data.
Advanced Data Protection for iCloud can be turned on only for Apple Accounts. Managed Apple Accounts and child accounts (varies by country or region) aren’t supported.