iCloud uses strong security methods, employs strict policies to protect your information and leads the industry in using privacy-preserving security technologies, such as end-to-end encryption for your data.
iCloud data security and encryption
The security of your data in iCloud starts with the security of your Apple ID. All new Apple IDs require two-factor authentication to help protect you from fraudulent attempts to gain access to your account. Two-factor authentication is also required for many features across Apple's ecosystem, including end-to-end encryption.
Apple offers two options to encrypt and protect the data you store in iCloud:
Standard data protection is the default setting for your account. Your iCloud data is encrypted, the encryption keys are secured in Apple data centres – so we can help you with data recovery – and only certain data is end-to-end encrypted.
Advanced Data Protection for iCloud is an optional setting that offers our highest level of cloud data security. If you choose to enable Advanced Data Protection, your trusted devices will retain sole access to the encryption keys for the majority of your iCloud data, thereby protecting it using end-to-end encryption. Additional data protected includes iCloud Backup, Photos, Notes and more.
About end-to-end encrypted data
End-to-end encrypted data can only be decrypted on your trusted devices where you've signed in with your Apple ID. No one else can access your end-to-end encrypted data – not even Apple – and this data remains secure even in the case of a data breach in the cloud. If you lose access to your account, only you can recover this data using your device passcode or password, recovery contact or recovery key.
Standard data protection
Standard data protection is the default setting for your account. Your iCloud data is encrypted in transit and stored in an encrypted format at rest. The encryption keys from your trusted devices are secured in Apple data centres, so Apple can decrypt your data on your behalf whenever you need it, such as when you sign in on a new device, restore from a backup or recover your data after you've forgotten your password. As long as you can sign in with your Apple ID successfully, you can access your backups, photos, documents, notes and more.
For additional privacy and security, 15 data categories – including Health and passwords in iCloud Keychain – are end-to-end encrypted. Apple doesn't have the encryption keys for these categories, and we can't help you recover this data if you lose access to your account. The table below includes a list of data categories that are always protected by end-to-end encryption.
Advanced Data Protection for iCloud
Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud.
With Advanced Data Protection, the number of data categories that use end-to-end encryption rises to 25 and includes your iCloud Backup, Photos, Notes and more. The table below lists the additional data categories that are protected by end-to-end encryption when you enable Advanced Data Protection.
If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it – you’ll need to use your device passcode or password, a recovery contact or a personal recovery key. Because the majority of your iCloud data will be protected by end-to-end encryption, you'll be guided to set up at least one recovery contact or recovery key before you turn on Advanced Data Protection. You must also update all of your Apple devices to a software version that supports this feature.
You can turn off Advanced Data Protection at any time. Your device will upload the required encryption keys to Apple servers securely, and your account will once again use standard data protection.
Find out how to turn on Advanced Data Protection for iCloud.
Data categories and encryption
The table below provides more detail on how iCloud protects your data when using standard data protection or Advanced Data Protection.
Data category | Standard data protection | Advanced Data Protection | ||
|---|---|---|---|---|
Encryption | Key storage | Encryption | Key storage | |
iCloud Mail (1) | In transit and on server | Apple | In transit and on server | Apple |
Contacts (2) | In transit and on server | Apple | In transit and on server | Apple |
Calendars (2) | In transit and on server | Apple | In transit and on server | Apple |
iCloud Backup (including device and Messages backup) (3) | In transit and on server | Apple | End-to-end | Trusted devices |
iCloud Drive (4) | In transit and on server | Apple | End-to-end | Trusted devices |
Photos | In transit and on server | Apple | End-to-end | Trusted devices |
Notes | In transit and on server | Apple | End-to-end | Trusted devices |
Reminders (5) | In transit and on server | Apple | End-to-end | Trusted devices |
Safari Bookmarks | In transit and on server | Apple | End-to-end | Trusted devices |
Siri Shortcuts | In transit and on server | Apple | End-to-end | Trusted devices |
Voice Memos | In transit and on server | Apple | End-to-end | Trusted devices |
Wallet passes | In transit and on server | Apple | End-to-end | Trusted devices |
Freeform | In transit and on server | Apple | End-to-end | Trusted devices |
Passwords and Keychain (6) | End-to-end | Trusted devices | End-to-end | Trusted devices |
Health data | End-to-end | Trusted devices | End-to-end | Trusted devices |
Journal data | End-to-end | Trusted devices | End-to-end | Trusted devices |
Home data | End-to-end | Trusted devices | End-to-end | Trusted devices |
Messages in iCloud (7) | End-to-end (7a) | Trusted devices | End-to-end | Trusted devices |
Payment information | End-to-end | Trusted devices | End-to-end | Trusted devices |
Apple Card transactions | End-to-end | Trusted devices | End-to-end | Trusted devices |
Maps (8) | End-to-end | Trusted devices | End-to-end | Trusted devices |
QuickType Keyboard learnt vocabulary | End-to-end | Trusted devices | End-to-end | Trusted devices |
Safari (9) | End-to-end | Trusted devices | End-to-end | Trusted devices |
Screen Time | End-to-end | Trusted devices | End-to-end | Trusted devices |
Siri information (10) | End-to-end | Trusted devices | End-to-end | Trusted devices |
Wi-Fi passwords | End-to-end | Trusted devices | End-to-end | Trusted devices |
W1 and H1 Bluetooth keys | End-to-end | Trusted devices | End-to-end | Trusted devices |
Memoji | End-to-end | Trusted devices | End-to-end | Trusted devices |
Additional notes
iCloud Mail: iCloud Mail does not use end-to-end encryption because of the need to interoperate with the global email system. All native Apple email clients support optional S/MIME for message encryption.
Contacts and Calendars: contacts and calendars are built on industry standards (CalDAV and CardDAV) that do not provide built-in support for end-to-end encryption.
iCloud Backup (including device and Messages backup)
Standard data protection: when iCloud Backup is enabled, the keys to your backupsare secured in Apple data centres. If you use both iCloud Backup and Messages in iCloud, your backup will include a copy of the Messages in iCloud encryption key to help you recover your data.
Advanced Data Protection: iCloud Backup and everything inside it is end-to-end encrypted, including the Messages in iCloud encryption key.
iCloud Drive: includes Pages, Keynote and Numbers documents, PDFs, Safari downloads or any other files saved to iCloud Drive manually or automatically.
Reminders: Reminders synced using CalDAV don’t support end-to end encryption.
Passwords and Keychain: includes your saved accounts and passwords.
Messages in iCloud
Standard data protection: Messages in iCloud is end-to-end encrypted when iCloud Backup is disabled. When iCloud Backup is enabled, your backup will include a copy of the Messages in iCloud encryption key to help you recover your data. If you turn off iCloud Backup, a new key will be generated on your device to protect future Messages in iCloud. This key is end-to-end encrypted between your devices and isn't stored by Apple
Advanced Data Protection: Messages in iCloud is always end-to-end encrypted. When iCloud Backup is enabled, everything inside it is end-to-end encrypted, including the Messages in iCloud encryption key.
Maps: includes Favourites, My Guides and Search History.
Safari: includes History, Tab Groups and iCloud Tabs.
Siri information: includes Siri Settings and personalisation and, if you've set up Hey Siri, a small sample of your requests.
Encryption of certain metadata and usage information
Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimise your iCloud and device storage – all without having access to the files and photos themselves. Representative examples are provided in the table below.
This metadata is always encrypted, but the encryption keys are still stored by Apple. As we continue to strengthen security protections for all users, Apple is committed to ensuring more data, including this kind of metadata, is end-to-end encrypted when Advanced Data Protection is enabled.
Data category | Information protected with standard data encryption |
|---|---|
iCloud Backup |
|
iCloud Drive |
|
Photos |
|
Notes |
|
Safari Bookmarks |
|
Messages in iCloud |
|
Sharing and collaboration
With standard data protection, iCloud content that you share with other people is not end-to-end encrypted.
Advanced Data Protection is designed to maintain end-to-end encryption for shared content as long as all participants have Advanced Data Protection enabled. This level of protection is supported in most iCloud sharing features, including iCloud Shared Photo Library, iCloud Drive shared folders and shared Notes.
iWork collaboration, the Shared Albums feature in Photos and sharing content with “anyone with the link” do not support Advanced Data Protection. When you use these features, the encryption keys for the shared content are uploaded to Apple data centres securely so iCloud can facilitate real-time collaboration or web sharing. This means the shared content is not end-to-end encrypted, even when Advanced Data Protection is enabled.
To initiate sharing or collaboration, the names and Apple IDs of participants are sent to Apple servers, and a title and representative thumbnail of the shared item may be used to display a preview to the participants.
iCloud.com and data access on the web
iCloud.com provides access to your iCloud data via any web browser. All sessions at iCloud.com are encrypted in transit between Apple's servers and the browser on your device. When Advanced Data Protection is enabled, access to your data via iCloud.com is disabled by default. You have the option to turn on data access on iCloud.com, which allows Apple and the web browser you're using to have temporary access to data-specific encryption keys provided by your device to decrypt and view your information. Find out more about iCloud.com web access.
Third-party app data
Third-party app data stored in iCloud is always encrypted in transit and on server. When you turn on Advanced Data Protection, third-party app data stored in iCloud Backup and CloudKit encrypted fields and assets are end-to-end encrypted.
About third-party data centres
Both Apple and third-party data centres may be used to store and process your data. When processing data stored in a third-party data centre, encryption keys are only accessed by Apple software running on secure servers, and only while conducting the necessary processing. The keys are always stored and secured in Apple data centres. Apple doesn't access or store keys for any end-to-end encrypted data.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsem*nt. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.
Published Date:
