Hi Eric. I understand that the sync data in the sync store on iCloud is encrypted. That would be using my keys that only I know. I was happy.
For the iCloud backup, as you say they are plain text protected by IOS’s own device-side encryption however, this is not encryption that is under my end-to-end control.
Firstly, Apple is using a private key for me that Apple stores (to save me from myself in the case of the average user).
Furthermore, there is a 6 digit passcode that is used for the device and the backups and which only I can know.
My problem with this is
- I was very happy with being fully in control of e2e encryption with DevonThink and my 50 character random key.
- The backups to iCloud were made by default and I’m not happy about the weakness of the 6 character numeric key viz a viz the strength of my DevonThink key and that fact that I was opted in to this backup.
So, what I am trying to say, between the lines, is that it would have been nice to have been warned about the backing up of, for all intents and purposes, unencrypted data as now, the horse has bolted and there can no longer ever be any guarantee that the data is private (assuming you agree that the only privacy is the privacy you create for yourself with true end-to-end encryption ).
If you read support apple com/en-us/HT202303 it clearly says:
End-to-end encryption provides the highest level of data security. Your data is protected with a key derived from information unique to your device, combined with your device passcode, which only you know. No one else can access or read this data.
If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices.
So, in summary the Apple encryption is only as good as the 6 digit passcode and that’s not the same as the level of encryption and assurance I had with DevonThink.
Anyway, you’re not alone. I have other e2e encryption apps and my switch from Android to IOS has led to Apple backing up all of them with the same consequences.
PS Apple stores iCloud data on Azure. So the data, which is only as secure as that 6 digit passcode because the private key is packed with the backup ‘for your convenience’ is subject to not just Apple’s but also, Microsoft’s T&Cs which include those of their third party partners (which for Microsoft, include partners in China, Jordan and other jurisdictions.
Are starting to get a sense of where I’m coming from?