CloudKit Encryption & Apple's End-to-End announcement

Per Apple’s announcement about End-to-End encryption under Advanced Data Protection ( Apple advances user security with powerful new data protections ), it is not clear to me if third party app data stored via CloudKit will fall under that or not.

I.e. if using Advanced Data protection for end-to-end encryption for all iCloud stored data (a feature expected to be available before end of year 2022), will the DEVONthink CloudKit sync encryption key be redundant? Explicitly: if leaving the CloudKit encryption key field black, will the data still be end-to-end encrypted as part of the new Apple policy (assuming Advanced Data protection is turned on).

Reference: iCloud data security overview

That’s still unclear but most likely not. The sync’s encryption is still recommended.

Where are you getting the “most likely not” from? I’m looking for a specific Apple documentation source on that.

Why would you lean toward not using DEVONthink’s encryption key?

This is a sea change in terms of encryption policy and will affect, potentially, all third party apps using cloudkit. It’s very much worth knowing what the details are in this situation.

“End-to-End encryption” could well mean “encryption before it leaves the machine and decryption after it arrives in iCloud”. So just “encryption in transit”. In that case, it shouldn’t influence other apps. If Apple has done it right. Which remains to be seen. I’m not overly confident, given their record in network programming.

1 Like

Apple provided some more detail in the meantime

I don’t see how that would change anything about your usage of DT/TG. If Apple does it right, of course.

I may have misunderstood something (quite likely), but their announcement is for iCloud, not CloudKit. CloudKit runs separately and already offers end to end encryption via the encryption key. It isn’t mentioned in this update.

I’m not sure if “iCloud” is the product name here or the name of the underlying technology. But afaik, the original iCloud technology is more or less phased out and iCloud (the product) is running predominantly on CloudKit.

Currently, your DTTG iCloud backup can be accessed by anyone that Apple provides the key to. With the new “Advanced Data Protection” turned on that will no longer be the case: the key is only on your device(s)