Securing your data in iCloud

Some cloud services offer specially protected ‘vaults’ and other features intended to protect sensitive data. Rather than making that an option, iCloud has security policies which provide different levels of protection according to the type of data stored. For example, Keychain in iCloud benefits from end-to-end encryption, while files you put in iCloud Drive are encrypted during transit and when in cloud storage. This article explains how iCloud secures your data, and how you can ensure that security remains effective.

Secure your Apple ID

iCloud security only exists when you secure access fully with robust passwords/passcodes, and two-factor authentication. Features such as end-to-end encryption don’t work unless

your Mac and all devices which connect using that Apple ID have passwords (macOS) or passcodes (devices), and
two-factor authentication is enabled on your Apple ID account.

To date, those few iCloud accounts which appear to have been ‘hacked’ have used passwords/passcodes which were easily guessed, and didn’t have two-factor authentication enabled.

It’s also important to use recent versions of Apple’s operating systems. Most of these protection features require at least iOS 13 on devices, and protection may be significantly less on versions of macOS before Catalina.

End-to-end encryption

Data protected by end-to-end encryption are stored locally, transferred, and held in iCloud in encrypted form, which is the highest level of security provided by iCloud. Data so protected includes:

Apple Card transactions
Health data (note this is also only backed up to encrypted backups)
Home data
Keychain
Maps favourites, collections, search history
Memoji
Messages in iCloud
Payment information
QuickType Keyboard learned vocabulary
Safari history, Tab Groups, iCloud Tabs
Screen Time
Siri information
Wi-Fi passwords
Bluetooth keys (W1, H1).

Encryption keys use device-specific information to ensure that no one else can access protected data. As that includes Apple, these classes of data can’t be recovered by the iCloud Data Recovery Service. Only you can access them on your Mac and devices when you’re signed in to iCloud.

Encrypted in transit and in iCloud

Less sensitive data is protected by encryption when in transit between iCloud and your Mac/devices, and stored in iCloud fully encrypted. This doesn’t provide the same level of security as end-to-end encryption, but ensures that your data are still well-protected. This specifically prevents third-parties like Amazon and Google, who provide servers to host iCloud, from being able to access your data. However, it also means that these data are recoverable using the iCloud Data Recovery Service.

Data so protected includes:

Backup (devices only at present)
Calendars
Contacts
iCloud Drive
private third-party app data stored using CloudKit
Notes
Photos
Reminders
Safari Bookmarks
Siri Shortcuts (may now include Shortcuts generally)
Voice Memos
Wallet passes

Files stored in iCloud Drive are encrypted. They’re chunked and encrypted using file content keys, which are then wrapped by record keys stored with their metadata. Those metadata are protected by the user’s iCloud Drive service key, stored in that iCloud account.

Third-party apps which use CloudKit to store data in iCloud are controlled by app entitlements, and can access both unprotected public data and encrypted file data, the latter being stored using a similar hierarchy of keys as for iCloud Drive. This ensures that only when you’ve signed into your iCloud account can you access either the files you store in iCloud Drive, or those stored there by third-party apps.

Encrypted in transit but not on servers

All mail data in transit between your Mac/devices and the iCloud Mail service is encrypted under TLS 1.2. However, Apple’s IMAP mail servers don’t encrypt the mail data they store, in accordance with standard mail server practice. If you want to improve the security of the mail service, then you should enable S/MIME encryption, an option in Apple’s Mail app and all good third-party mail clients.

Summary

To benefit from iCloud security, all your Macs and devices must use robust passwords/passcodes, and your account must have two-factor authentication enabled.
Protect your Mac and device access passwords/passcodes, and protect your Apple ID password.
Some iCloud services have full end-to-end encryption, including Keychain in iCloud, card and payment information, Messages in iCloud, Safari history and tabs.
Remaining iCloud services are encrypted in transit and in iCloud storage, including databases such as Calendars and Contacts, iCloud Drive, and private data stored by third-party apps.
IMAP mail servers don’t encrypt your mail data, though, and S/MIME should be used where encryption is required.
Although iCloud uses third-party servers, those server operators don’t have any access to its encrypted data.

References

iCloud security overview
How to archive or copy data from iCloud
Security of iCloud Backup

15Comments

Add yours

1

JYK on March 3, 2022 at 2:41 pm

This is all great information, thanks as always! I think a useful addition here would be to delineate which pieces of information Apple can decrypt and provide to law enforcement if legitimately requested.

LikeLiked by 1 person
- 2
  
  hoakley on March 3, 2022 at 3:03 pm
  
  Thank you.
  I have done so, I believe: I make it clear that data which is protected by end-to-end encryption can’t be accessed by Apple, as only you have the key. Apple can, though, recover data which comes in the second category (encrypted in transit and when stored in iCloud), and easily for mail data stored in its servers, provided that it’s not protected by S/MIME encryption.
  Howard.
  
  LikeLike
3

JYK on March 3, 2022 at 4:50 pm

There are some interesting levels of overlap. Just as one example, you could have your iMessage content protected by end to end encryption, but if you store your iPhone/iPad device backups in iCloud without another passphrase, I believe (but I could be wrong) that iMessage content could be extracted from the device backup by Apple.

LikeLiked by 1 person
- 4
  
  hoakley on March 3, 2022 at 6:13 pm
  
  Thank you.
  Backups are straightforward: they should be encrypted. They have to be anyway if you want them to contain your Health data.
  Or don’t backup to iCloud, but to your Mac.
  Howard.
  
  LikeLike
5

Antonio on March 5, 2022 at 12:58 pm

That’s a very enlightening article, thank you very much! I didn’t know so many things were end-to-end encrypted. I only knew of payment, health, home and password information.

LikeLiked by 1 person
- 6
  
  hoakley on March 5, 2022 at 9:53 pm
  
  Thank you.
  Howard.
  
  LikeLike
7

Michele Galvagno on March 7, 2022 at 9:38 am

“S/MIME should be used where encryption is required”
How do you activate this in Apple Mail?

PS: have you changed the font, line spacing, and other in the outlook of the blog?

LikeLiked by 1 person
- 8
  
  hoakley on March 7, 2022 at 9:47 am
  
  Apple explains how to do this here.
  No, I haven’t changed anything here. Perhaps your browser has done this?
  Howard.
  
  LikeLike
  - 9
    
    Michele Galvagno on March 7, 2022 at 10:42 am
    
    Thanks. Not clear to me how to obtain the certificate as I don’t have a CA address, but will figure it out.
    Same Safari as always… possibly my perception
    
    LikeLiked by 1 person
    - 10
      
      hoakley on March 7, 2022 at 1:34 pm
      
      Certificates are sold by many different online vendors. Once you’ve got one, you’ll need to install it in your keychain before you can use it.
      Howard.
      
      LikeLike
    - 11
      
      Michele Galvagno on March 7, 2022 at 6:39 pm
      
      I read that Apple was a CA so I expected this to happen automatically from Keychain.
      
      LikeLiked by 1 person
    - 12
      
      hoakley on March 7, 2022 at 6:52 pm
      
      Apple is a CA. If you look in Keychain Access, the Certificate Assistant there provides a command to do this. You have to provide the email address of the CA to send the request. And CAs don’t normally issue such certificates for free, I’m afraid.
      Howard.
      
      LikeLike
    - 13
      
      Michele Galvagno on March 7, 2022 at 6:54 pm
      
      Indeed I got stopped where they asked for the email of the CA. Since I didn’t find Apple’s one I walked away. No problem if they’re not free, but a more straightforward way of finding one would be appreciated (such as a button “Find a CA” or something)
      
      LikeLiked by 1 person
    - 14
      
      hoakley on March 7, 2022 at 8:16 pm
      
      You know who to Feedback to!
      Howard.
      
      LikeLike
15

Securing iCloud Data | on March 14, 2022 at 10:01 am

[…] information across devices. If you have questions about how iCloud handles your data security, then read this very thorough article explaining how it all works up […]

LikeLike

Share this:

Like this:

Related