WhatsApp completely encrypts chat backups so that no one else, including WhatsApp, can see them. [Facebook founder and CEO Mark Zuckerberg posted a message on his Facebook page today (October 14).

"You can now protect your end-to-end encrypted backups with any password or a 64-digit encryption key known only to you. WhatsApp or your backup service provider cannot read your backups or access the key needed to unlock them."

End-to-end encryption usually refers to data sent from one client device to another, not to stored data like backed up chats; WhatsApp has expanded the definition of this term slightly to include stored encryption key to unlock the backup, meaning that no one but you has the encryption key to unlock the backup.

However, WhatsApp does not save backups. As always, you can back up your chats to Apple iCloud or Google Drive, depending on whether you have an iPhone or Android.

End-to-end encryption is optional and must be actively chosen. Not all are immediately available.

If you choose to encrypt your chat backups, Facebook's engineering team stated in a blog post that previous backups will be deleted.

WhatsApp previously offered encryption of backups to iCloud, but as Thomas Brewster of Forbes explained in 2017, attackers could obtain encryption keys if they could spoof the phone numbers of legitimate users through a different mechanism was used.

To take advantage of WhatsApp's end-to-end encrypted backup, make sure you have the latest version of WhatsApp installed on your iPhone or Android device.

Note: This may or may not still be possible. At the time of this writing, it could not be done on our Android devices, even though the latest version of WhatsApp was installed. Here is how to check.

1. Go to the settings screen; on Android, click on the three vertical dots at the top of the WhatsApp main screen.

2. Tap [Chat]. Tap

3. Tap [Backup Chat].

4. If end-to-end encrypted backup is provided, tap it.

5. Tap Continue and follow the instructions to create your personal encryption key (described below).

6. When the process is complete, tap Done.

If you chose to enable full backup encryption, the process begins with the phone generating a 256-bit (32-byte) encryption key locally. This key is used by the phone to encrypt the chat backup, and the encrypted backup is uploaded to Google Drive or iCloud.

There are two ways to manage WhatsApp backup encryption keys: the second is to delegate the management to WhatsApp, so that, at least in theory, the encryption key is not exposed to others.

In the first method, the encryption key is displayed as 64 hexadecimal characters. This looks like a long string of numbers and the letters A through F, the latter representing the numbers 10 through 15. (37]

You must write down or save this 64-character string somewhere. If you lose the encryption key, WhatsApp will not be able to respond.

If you need to restore a WhatsApp backup, such as when changing phones, you must type or paste the 64-character key into WhatsApp.

This mechanism is illustrated in Fig.

There is also a way to type a 32-byte key into WhatsApp. The encryption key is somewhat complicated as it requires creating a new password (which appears to be different from the normal WhatsApp user password) to encrypt and decrypt the key.

The encrypted key is stored in what is called a backup key vault, which is a hardware security module (HSM) located on at least five WhatsApp servers worldwide. [According to a Facebook white paper describing the technical details, the Backup Key Vault "permanently loses access to the key after a certain number of failed access attempts. If the password is entered incorrectly, the user is locked out.

WhatsApp cannot see the encryption key without knowing the password, says a Facebook Engineering blog post: "WhatsApp only knows that the key exists in the HSM; WhatsApp only knows that the key exists in the HSM; WhatsApp only knows that the key exists in the HSM.

In other words, the password unlocks the encryption key and the key unlocks the stored backup. When retrieving the backup, WhatsApp accesses WhatsApp's servers to retrieve the encrypted encryption key. Copy.

Here is a diagram showing the process.

There are several possible drawbacks to this new backup encryption option.

First, when migrating from an old iPhone to a new iPhone or from an old Android phone to a new Android phone, it should be easy enough to retrieve the backup as long as you have the backup password or encryption key.

But what about when switching platforms: WhatsApp on Android does not have access to iCloud, and WhatsApp on iOS does not have access to Google Drive. But there may be a workaround we are unaware of.

Second, do not do this on more than one device at a time. As stated in the Facebook whitepaper, "End-to-end encrypted backup is only supported on the user's primary device."

Third, the white paper states that "we recommend that users who choose end-to-end encrypted backup also deselect WhatsApp from the apps included in device-level backup."

This is because chats stored on a device may be backed up unencrypted to a regular full device backup unless the user excludes that chat from the regular backup.

Below are the steps to exclude chat backups from WhatsApp's iCloud full-device backups; as WhatsApp says, "Disabling iCloud auto backup does not enable end-to-end encrypted backups." End-to-end encrypted backups must be set up manually.

Finally, if you forget or lose your 64-character encryption key or backup password, your backup will be completely lost. You can probably create a new password or encryption key and start over again. As long as your old WhatsApp chats are stored on your phone, they will not be completely lost.