9to5Mac is brought to you by Incogni: Protect your personal info from prying eyes. With Incogni, you can scrub your deeply sensitive information from data brokers across the web, including people search sites. Incogni limits your phone number, address, email, SSN, and more from circulating. Fight back against unwanted data brokers with a 30-day money back guarantee.
Apple uses two different forms of encryption for your iCloud data – a strong form for particularly sensitive data like the Health and Journal apps, but a weaker one for a lot of other data you still wouldn’t want falling into the wrong hands.
Fortunately the company gives you the option of switching to strong encryption for all your iCloud data, and while there are a few steps involved, it’s a worthwhile security and privacy safeguard …
What’s the deal with iCloud encryption?
There are two main approaches to encrypting data:
- Encryption at rest (aka ‘weak encryption’)
- End-to-end encryption (aka E2EE or ‘strong encryption’)
By default, Apple uses a mix of the two, as you can see below.
The difference between them is simple, and concerns who holds a key with the ability to decrypt the data. For iCloud data:
- Weak encryption: Your devices + Apple
- Strong encryption: Your devices only
Which data is fully protected?
By default, Apple uses strong encryption for the things on the left, but weak encryption for the things on the right:
| Strong encryption | Weak encryption |
|---|---|
| Passwords and Keychain | iCloud Backups (Device and Messages) |
| Health data | iCloud Drive |
| Journal data | Photos |
| Home data | Notes |
| Messages in iCloud | Reminders |
| Payment information | Safari Bookmarks |
| Apple Card transactions | Siri Shortcuts |
| Maps | Voice Memo |
| QuickType Keyboard learned vocabulary | Wallet Passes |
| Safari | Freeform |
| Screen Time | |
| Siri information | |
| Wi-Fi passwords | |
| W1 and H1 Bluetooth keys | |
| Memoji |
That leaves a lot of sensitive data not fully protected, with three particular examples jumping out: photos, notes, and backups of your messages.
Why should you care?
You might trust Apple, and therefore think it’s not a big deal if the company also holds a key.
However, Apple having a key creates two risks. First, if a hacker ever gained access to iCloud servers and encryption keys, they would then be able to access your data.
Second, law enforcement can get court orders demanding that Apple hand over data, and you may well be caught up in an investigation despite being completely uninvolved. For example, investigators might demand your data because you were identified as being in the same location as a suspect at the same time.
For both reasons, you may well feel it’s best to apply strong encryption to all your iCloud data. Apple allows you to do so by enabling a feature called Advanced Data Protection (ADP). Note that you cannot currently enable this in the UK because we have a technically illiterate government, but it looks likely this will soon change.
Are there any downsides to boosting security?
Yes: with strong encryption, Apple can no longer access your data, and therefore cannot help you recover it. For example, currently if you forget your iCloud password, and can prove your identity to Apple’s satisfaction, the company may be able to help you recover some of your data. With ADP enabled, Apple would have no way to help.
For this reason, Apple does require you to take a couple of precautions:
- Create an account recovery key (which acts like a backup password)
- Add a recovery contact (someone you trust who can help you regain access)
How do you enable Advanced Data Protection?
I recommend checking out our very detailed instructions and video guide. But the short version is this:
Add a recovery key
- Settings → <your name> → Password & Security → Recovery Key
- Recovery Key → Turn On Recovery Key → Use Recovery Key
- Enter your passcode when prompted
- Make a note of the 28-character recovery key
- Enter this (to prove that you noted it correctly)
Since a recovery key is intended for use when you’ve lost access to all your Apple devices, you’re advised to go low-tech with this: write it down and stick it in a safe.
Add a recovery contact
Your recovery contact won’t be able to access your data (unless they have physical access to your devices), but will be able to generate another recovery key. They will need to own at least one Apple device.
- Settings → <your name> → Sign-In & Security → Recovery Contacts
- Tap Add Recovery Contact
Enable ADP
- Settings → <Your Name> → iCloud
- Scroll down and tap the Advanced Data Protection panel
- Tap Turn on Advanced Data Protection
- Tap Review Recovery Methods
- Tap Contacts Up to Date to confirm your recovery contact is correct
- Enter your recovery key to confirm you have access to this
- Enter your device passcode
- Tap Done when you see confirmation that ADP is enabled
It’s a slightly convoluted process, but that’s for good reason: Apple wants to ensure you know what you are doing and will be able to recover your own data if you ever forget your iCloud password.
9to5Mac is brought to you by Incogni: Protect your personal info from prying eyes. With Incogni, you can scrub your deeply sensitive information from data brokers across the web, including people search sites. Incogni limits your phone number, address, email, SSN, and more from circulating. Fight back against unwanted data brokers with a 30-day money back guarantee.
Highlighted accessories
Photo by Job Moses on Unsplash
FTC: We use income earning auto affiliate links. More.
