Some cloud services offer specially protected ‘vaults’ and other features intended to protect sensitive data. Rather than making that an option, iCloud has security policies which provide different levels of protection according to the type of data stored. For example, Keychain in iCloud benefits from end-to-end encryption, while files you put in iCloud Drive are encrypted during transit and when in cloud storage. This article explains how iCloud secures your data, and how you can ensure that security remains effective.
Secure your Apple ID
iCloud security only exists when you secure access fully with robust passwords/passcodes, and two-factor authentication. Features such as end-to-end encryption don’t work unless
- your Mac and all devices which connect using that Apple ID have passwords (macOS) or passcodes (devices), and
- two-factor authentication is enabled on your Apple ID account.
To date, those few iCloud accounts which appear to have been ‘hacked’ have used passwords/passcodes which were easily guessed, and didn’t have two-factor authentication enabled.
It’s also important to use recent versions of Apple’s operating systems. Most of these protection features require at least iOS 13 on devices, and protection may be significantly less on versions of macOS before Catalina.
Data protected by end-to-end encryption are stored locally, transferred, and held in iCloud in encrypted form, which is the highest level of security provided by iCloud. Data so protected includes:
- Apple Card transactions
- Health data (note this is also only backed up to encrypted backups)
- Home data
- Maps favourites, collections, search history
- Messages in iCloud
- Payment information
- QuickType Keyboard learned vocabulary
- Safari history, Tab Groups, iCloud Tabs
- Screen Time
- Siri information
- Wi-Fi passwords
- Bluetooth keys (W1, H1).
Encryption keys use device-specific information to ensure that no one else can access protected data. As that includes Apple, these classes of data can’t be recovered by the iCloud Data Recovery Service. Only you can access them on your Mac and devices when you’re signed in to iCloud.
Encrypted in transit and in iCloud
Less sensitive data is protected by encryption when in transit between iCloud and your Mac/devices, and stored in iCloud fully encrypted. This doesn’t provide the same level of security as end-to-end encryption, but ensures that your data are still well-protected. This specifically prevents third-parties like Amazon and Google, who provide servers to host iCloud, from being able to access your data. However, it also means that these data are recoverable using the iCloud Data Recovery Service.
Data so protected includes:
- Backup (devices only at present)
- iCloud Drive
- private third-party app data stored using CloudKit
- Safari Bookmarks
- Siri Shortcuts (may now include Shortcuts generally)
- Voice Memos
- Wallet passes
Files stored in iCloud Drive are encrypted. They’re chunked and encrypted using file content keys, which are then wrapped by record keys stored with their metadata. Those metadata are protected by the user’s iCloud Drive service key, stored in that iCloud account.
Third-party apps which use CloudKit to store data in iCloud are controlled by app entitlements, and can access both unprotected public data and encrypted file data, the latter being stored using a similar hierarchy of keys as for iCloud Drive. This ensures that only when you’ve signed into your iCloud account can you access either the files you store in iCloud Drive, or those stored there by third-party apps.
Encrypted in transit but not on servers
All mail data in transit between your Mac/devices and the iCloud Mail service is encrypted under TLS 1.2. However, Apple’s IMAP mail servers don’t encrypt the mail data they store, in accordance with standard mail server practice. If you want to improve the security of the mail service, then you should enable S/MIME encryption, an option in Apple’s Mail app and all good third-party mail clients.
- To benefit from iCloud security, all your Macs and devices must use robust passwords/passcodes, and your account must have two-factor authentication enabled.
- Protect your Mac and device access passwords/passcodes, and protect your Apple ID password.
- Some iCloud services have full end-to-end encryption, including Keychain in iCloud, card and payment information, Messages in iCloud, Safari history and tabs.
- Remaining iCloud services are encrypted in transit and in iCloud storage, including databases such as Calendars and Contacts, iCloud Drive, and private data stored by third-party apps.
- IMAP mail servers don’t encrypt your mail data, though, and S/MIME should be used where encryption is required.
- Although iCloud uses third-party servers, those server operators don’t have any access to its encrypted data.