Here’s how to enable and manage Apple’s advanced data protection for your iCloud data

by · December 28, 2022

Here’s how to enable and manage Apple’s advanced data protection for your iCloud data

In early December 2022, Apple announced a significant change to iCloud data encryption. Previously, Apple shared how it protected your data synced through iCloud:

  • Some of your data (photos and other media, reminders, and notes) relied on encryption keys held by Apple to protect your data at rest—that is, while it’s stored on its servers. You can access all of this via iCloud.com by signing in. When Apple syncs this data, it relies on encrypted HTTPS and similar secure connections between your devices and apps and your servers.
  • Other parts of your data, an increasing amount over the year, relied on end-to-end encryption (E2EE), where the keys to encrypt and decrypt your data are stored only on your devices and are only accessible by actions on them the units. Apple does not have access to the keys at all. Such data includes health information, Safari bookmarks, and iCloud Keychain. None of this data could be accessed on iCloud.com; iCloud was just a channel for syncing between devices. (Apple also encrypts this data in transit, but that’s a layer on top of E2EE, not instead of E2EE.)

On December 13, 2022, Apple launched Advanced Data Protection, an option that allows you to move almost all of your Apple-secured data on iCloud to E2EE. Instead of Apple keeping the keys to data at rest on its servers, that data would be effectively impossible to retrieve for anyone who lacked one of your devices, such as an iPhone or Mac, and the ability to unlock that device.

However, Apple had to exempt email, contacts and calendar entries from this shift. These three categories of items are always protected at rest with Apple-controlled encryption. But for compatibility with third-party email, contact and calendar apps and online services, there is no current way to allow end-to-end encryption while still making the underlying data accessible. (That may change in the future, but it requires a huge industry shift that has only shown glimpses of happening. Google just rolled out a beta version of end-to-end encrypted email.)

You don’t have to activate ADP if you don’t want to. ADP has disadvantages in terms of administration, access and recovery. As with other E2EE methods, you risk losing access to your data forever if you lose or get locked out of all your devices and other recovery methods don’t work. Apple requires you to enable some recovery features to avoid this, discussed below, but it’s still a risk.

icloud advanced data protection
Advanced Data Protection adds end-to-end encryption to almost all of your iCloud-synced data that lacks it.

apple

The advantage of ADP is that almost all of your data is inaccessible in the event of a breach of Apple’s servers, hacking of your security, legitimate or illegitimate government demands or criminal efforts. Without having an unlocked device associated with your account, you are protected from disclosure of covered types of information.

So far, only customers in the US can turn on ADP. Apple promises to provide access to customers in more countries by 2023, including China.

What kind of data is covered by advanced data protection?

Apple has an overview on a support website of the different encryption methods it uses for each service or data storage type offered, including whether or not ADP is enabled. Here’s how it works, with standard and ADP encryption called out for each point.

  • Always encrypted at rest (default and ADP): Email messages, calendar events and contacts. These cannot be encrypted with E2EE, as mentioned above.
  • Either encrypted at rest (default) or E2EE (ADP): iCloud Backups, Find My (Devices and People), iCloud Drive, iCloud for Messages encryption key (see below), Notes, Photos, Reminders, Siri Shortcuts, Voice Memos and Wallet Cards plus iWork apps (Keynote, Numbers and Pages). Find My (devices only), iCloud Drive, Notes, Photos, Reminders and iWork files can also all be accessed via iCloud.com with ADP on or off – but see below for a new option to control this.
  • Always encrypted at rest (ADP): Metadata related to the above services, such as the name and serial number of a device associated with an iCloud backup, the number of views of a photo or video in iCloud Photos, and the last modified date of a Safari bookmark. (Apple has a full list of metadata exceptions at the bottom of this page.)
  • Using E2EE while shared (ADP): With ADP enabled, E2EE remains active for most data you share with others if they have ADP enabled. If they don’t, notes, reminders, iCloud Drive folders and files, and some other items are just encrypted at rest.
  • Not using E2EE while shared (ADP): Apple lists a number of other exceptions to E2EE for shared items: Keynote, Numbers, and Pages files shared via iCloud collaboration; Shared albums in photos; and anything shared with content that Apple offers the “all with the link” action.
  • Always use E2EE (standard and ADP): Apple Card transactions, the contents of iCloud for Messages (see below), home data, health data, iCloud Keychain, Find My Items location (such as AirTags), map details (such as your search history and places marked as favorites), Memoji, payment information, QuickType Keyboard learned vocabulary, Safari (bookmarks, history and iCloud tabs), Screen Time settings and data, Siri information, Wi-Fi passwords and Bluetooth keys used with Apple’s W1 and H1 chips. Although this information is synced over iCloud, it is not available through iCloud.com.

Messages in iCloud are a rare exception. Without ADP enabled, Apple encrypts the content of your messages as stored in iCloud using E2EE. However, if you also have iCloud backups turned on, the decryption key for your messages is stored in the backup, and the backup is encrypted only under the control of Apple. This makes it prone to cracks. If you enable ADP, both the content of your messages and the encryption key to decrypt them is protected because E2EE protects your iCloud backups.

See also  Google Maps: Millions of users are encouraged to try these five little-known hacks

I can summarize the ADP and non-ADP versions of iCloud encryption in another way:

  • With ADP enabled, what is E2EE: Everything you store in iCloud uses E2EE except for email, contacts and calendar events, certain types of metadata, and certain items when shared, as mentioned above.
  • With ADP disabled, what is E2EE: Only the items listed in the last point above plus messages in the iCloud exception in iCloud backups.

Starting with iOS 16.2, iPadOS 16.2, and macOS 13.1, you can choose to disable access to otherwise available data when you sign in to iCloud.com, whether you have ADP enabled or not. Go to Settings (iOS/iPadOS)/System settings (macOS) > Username > iCloud and disable Access iCloud data online.

Apple will notify you of outdated devices when you try to update to ADP.

If you enable iCloud data access when it’s turned off and you have ADP enabled, Apple prompts you with an additional warning explaining that you must use a trusted device every time you want access. Tap or click Access iCloud data online to continue, then tap or click Allow access.

If you’re ready to set up ADP, start with the prerequisites and preparations required to ensure you don’t permanently lock yourself out of your own data.

Check advanced data protection requirements

To use ADP, all your hardware must be running a minimum version of their respective operating system: iOS 16.2, iPadOS 16.2, macOS 13.1 Ventura, tvOS 16.2, watchOS 9.2, and HomePod 16.2. Yes, an outdated HomePod or HomePod mini must be updated before continuing to improve your iCloud security.

Your iCloud account must have two-factor authentication enabled, which is almost always the case these days. Apple Force upgraded most of us years ago. But if you haven’t upgraded yet, see this article. All your devices must also have passwords, but I’d be shocked if you’re reading this book and that’s not the case.

You’ll also need to live in the US to use ADP starting with the December 2022 rollout. Apple is promising more countries in 2023 without a timetable or list.

Finally, you need to turn on some form of account recovery to help if you lose access to your iCloud account login. Apple notes that you can use a recovery plug or a recovery key. I suggest setting up both to give yourself even more protection. For details on both of these, see “How to use iCloud Data Recovery Service” and “What you should know about iOS 15 recovery keys.”

Apple also tells you that you can recover data if you have the password for the device you use to enable ADP. That’s because E2EE keys for ADP are additionally wrapped with device code protection. With a device password, you can unlock the keys necessary to access device-based encrypted data. Because your password is not stored in an accessible way, this does not reduce the security of your device or your iCloud data.

See also  FanDuel promo code unlocks $2,500 sweat-free first bet for NBA and NHL

Enable advanced data protection

Start by going to the ADP settings section: Settings (iOS/iPadOS)/System settings (Mac OS) > Account Name > iCloud > Advanced Data Protection. Press Turn on advanced data protection or click Turn on.

If all your devices are not up to date, you will be notified which ones require a newer version of the operating system. You can choose to either complete upgrades or remove devices with older operating systems from your account by tapping Remove devices in Settings.

To avoid losing access, Apple requires at least one recovery method to be enabled. I suggest both.

Once you are updated, you can continue. If you have at least one account recovery option enabled, Apple now lets you turn on ADP:

  1. Apple warns you that “you will be responsible for data recovery.” You must press or click on Review recovery methods options.
  2. If you have a recovery key enabled, enter it and tap or click Next.
  3. With the recovery key accepted, enter your device passcode when prompted.
  4. Finally, you will be told “Advanced data protection is on.” Tap or click Finished. You should also receive an email at your iCloud.com address letting you know that ADP was enabled.

Access advanced data protection protected data via iCloud

Using iCloud.com is still possible with ADP enabled, but adds an extra hoop to create a local E2EE session in the browser.

With ADP enabled, all your data except email, contacts and calendar entries are encrypted with keys on your devices. It seems to count iCloud.com access away. But Apple has a solution. They allow temporary access using encryption in the browser.

To unlock temporary access:

  1. Visit icloud.com in a web browser and sign in.
  2. Apple displays a banner explaining that ADP is on and how to proceed.
  3. Select an app, such as Photos.
  4. Apple sends an access request to trusted devices.
  5. Tap or click a trusted device Allow access (Figure 100).
  6. On your trusted devices, a banner will appear notifying you that you have enabled temporary access.

Data remains available for one hour from each request. Each additional type of data you wish to access may require a different permission request and approval unless you request it shortly after a previous request.

Disable advanced data protection

Disabling ADP is easy. Go to Settings (iOS/iPadOS)/System settings (Mac OS) > Account Name > iCloud > Advanced Data Protection. Press Turn off advanced data protection or click Turn off. Follow the instructions to agree that you understand that you are removing E2EE protection from many types of synchronized and stored data.

Related posts:

  1. Super apps unlock creative possibilities
  2. Sign in to apps and websites without a password • iPhone in Canada blog
  3. The 9 Best AR Apps for Education
  4. Q&A: Upstream CEO on protecting trucks from cyber attacks – Fleet Management

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *