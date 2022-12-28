



In early December 2022, Apple announced major changes to iCloud data encryption. Earlier, Apple split up how to protect data synced via iCloud.

Some data (photos and other media, reminders, notes) relied on encryption keys held by Apple to protect the data at rest (that is, while it was stored on servers). . You can access all this via iCloud.com when you log in. When Apple syncs this data, it relies on encrypted HTTPS and similarly secure connections between devices and apps and their servers. , relied on end-to-end encryption (E2EE). With this encryption, the keys for encrypting and decrypting data are stored only on the device and can only be accessed by actions on those devices. Apple has no access to your keys at all. These types of data include health information, Safari bookmarks, and iCloud Keychain. None of this data was accessible on iCloud.com. iCloud was just a pipe for syncing between devices. (Apple also encrypts this data in transit, but it’s a layer on top of E2EE, not a replacement for it.)

On December 13, 2022, Apple rolled out Advanced Data Protection. This is an option that allows you to migrate almost all data protected by Apple in iCloud to E2EE. Instead of Apple keeping a key to data stored on its servers, it effectively makes it impossible for anyone without one of their devices, such as an iPhone or Mac, and the ability to unlock that device, to retrieve that data. It will be possible.

However, Apple had to exclude emails, contacts, and calendar entries from this shift. Items in these three categories are always protected with Apple-controlled encryption. However, for compatibility with third-party email, contacts, calendar apps, and online services, there is no current method that allows end-to-end encryption while still allowing access to the underlying data. . (This is subject to change in the future, but it would require a major industry shift and has shown only very few changes. Google is launching a beta version of end-to-end encrypted email. has just been expanded.)

If you don’t want to, you don’t need to enable ADP. ADP has drawbacks in terms of management, access, and recovery. As with any E2EE method, if all your devices are lost or locked out and other recovery methods don’t work, you risk permanently losing access to your data. Apple has to enable some recovery features to avoid this, as explained below, but the risks remain.

Adds advanced data protection to almost any iCloud synced data that lacks end-to-end encryption.

The advantage of ADP is that almost all data is inaccessible in the event of a breach of Apple’s servers, security hacks, legal or illegal government requests, or criminal activity. Even if you don’t own an unlocked device linked to your account, you’re protected from targeted types of information disclosure.

So far, only US customers can turn on ADP. Apple has promised to provide access to customers in more countries, including China, in 2023.

What data is covered by Advanced Data Protection?

Apple has a support web page outlining the different encryption methods it uses for each type of service or data storage offered, including whether ADP is enabled. How this works calls for standard encryption and ADP encryption at each point.

Always encrypted at rest (standard and ADP): email messages, calendar events, and contacts. As noted above, these cannot be encrypted using E2EE. Either encryption at rest (standard) or E2EE (ADP): iCloud Backup, Find My (devices and people), iCloud Drive, iCloud for Message encryption keys (see below), notes, photos, reminders, Siri Shortcuts, Voice Memos, Wallet Passes, iWork Apps (Keynote, Numbers, Pages). Find My (devices only), iCloud Drive, Notes, Photos, Reminders, and iWork files can all be accessed via iCloud.com with ADP on or off, but new options to control this are below. please refer to. ADP): Metadata associated with the above services, such as the name and serial number of the device associated with iCloud Backup, the number of times an image or video was viewed in iCloud Photos, and when Safari bookmarks were last modified. (Apple has a full list of metadata exceptions at the bottom of this page.) Use E2EE while sharing (ADP): If ADP is active, other users with ADP enabled E2EE remains active for most data shared with Otherwise, notes, reminders, iCloud Drive folders and files, and some other items are only encrypted at rest. Do not use E2EE while sharing (ADP): Apple lists many other exceptions to E2EE for shared items. Keynote, Numbers, and Pages files shared via iCloud Collaboration. Shared albums for photos; always uses E2EE (standard and ADP): Apple Card transactions, iCloud for Messages message content (see below), Home data, Health data, iCloud Keychain, Locate My Items (AirTags, etc.) , map details (such as search history and places marked as favorites), notes, payment information, quicktype keyboard learning vocabulary, Safari (bookmarks, history, iCloud tabs), screen time settings, data, Siri information, Wi -Fi passwords, Bluetooth keys used in Apple’s W1 and H1 chips. This information is synced via iCloud, but is not accessible via iCloud.com.

Messages in iCloud is an odd exception. If ADP is not enabled, Apple uses his E2EE to encrypt the contents of messages stored in iCloud. However, if you also have iCloud Backup turned on, the message decryption key is stored in the backup, and the backup is encrypted only under Apple’s control. This makes it more prone to cracking. With ADP enabled, E2EE protects iCloud backups, thus protecting both the contents of messages and the encryption keys used to descramble them.

ADP and non-ADP versions of iCloud encryption can be summarized differently.

What is E2EE when ADP is enabled: Everything stored in iCloud uses E2EE. However, as noted above, emails, contacts, calendar events, certain types of metadata, and certain items shared with you are excluded. In addition to the last bullet point above, the message for iCloud exceptions for iCloud backups.

Also, starting with iOS 16.2, iPadOS 16.2, and macOS 13.1, regardless of whether ADP is enabled, you can choose to disable access to available data when you log in to iCloud.com. . Go to Settings (iOS/iPadOS)/System Settings (macOS) > account name > iCloud and disable access to iCloud data on the web.

Apple warns you about outdated devices when you try to update to ADP.

If you turn on iCloud Data Access when it’s turned off and you enable ADP, you’ll see an additional warning from Apple explaining that you must use a trusted device each time you access it.[Web 上の iCloud データにアクセス]to continue, tap or click[アクセスを許可]Tap or click

Once you’re ready to set up ADP, start with the prerequisites and preparations necessary to avoid being permanently locked out of your data.

Review advanced data protection requirements

To use ADP, all hardware must be using the minimum releases of their respective operating systems: iOS 16.2, iPadOS 16.2, macOS 13.1 Ventura, tvOS 16.2, watchOS 9.2, and HomePod 16.2. Yes, older HomePods or HomePod minis need to be updated before the iCloud security enhancements.

Your iCloud account must have two-factor authentication enabled. This is most often the case these days. Apple’s power is something most of us upgraded to years ago. However, if you haven’t upgraded yet, see this article. All devices also require a passcode, but if you’re reading this book and don’t, you’ll be shocked.

Also, to use ADP at the December 2022 rollout, you must reside in the United States.

Finally, we need to enable the account recovery form to help you if you lose access to your iCloud account login. Apple says you can use recovery contacts or recovery keys. We recommend setting both for even more protection. For more information on both, see How to Use iCloud Data Recovery Service and What You Need to Know About iOS 15 Recovery Keys.

Apple also informs you that if you have the device passcode used to enable ADP, you can recover your data. This is because his E2EE key in ADP is additionally wrapped with device passcode protection. A device passcode unlocks the keys needed to access device-based encrypted data. Passkeys aren’t stored in any accessible way, so they don’t compromise the security of your device or your iCloud data.

Enable advanced data protection

Start by going to the ADP Settings section: Settings (iOS/iPadOS) / System Settings (macOS) > Account Name > iCloud > Advanced Data Protection.[高度なデータ保護を有効にする]or tap[有効にする]Click.

If all devices are not up to date, you will be notified which devices require a newer version of the OS.[設定]and[デバイスを削除]to complete the upgrade or remove the device with the older operating system from your account.

To avoid losing access, Apple requires at least one recovery method to be enabled. I suggest both.

Once you are up to date, you can continue. Apple can now enable ADP for her if she has enabled at least one account recovery option.

Apple warns that “data recovery is the customer’s responsibility.”[Review Recovery Methods]You have to tap or click an option. If you have a recovery key enabled, enter it and[次へ]must be tapped or clicked. After the recovery key is accepted, enter your device passcode when prompted. Finally, “Advanced data protection is on.”[完了]Tap or click An email message will also be sent to your iCloud.com address informing you that ADP has been enabled. Using iCloud.com, which accesses data protected by Advanced Data Protection via iCloud, is still possible when ADP is enabled, but requires additional hoops to create a local E2EE session in the browser. It will be added.

With ADP enabled, all data except emails, contacts and calendar entries are encrypted with a key held on the device. This appears to count visits to iCloud.com. However, Apple has a workaround. Allow temporary access using in-browser encryption.

Here’s how to unlock temporary access:

Go to icloud.com in your browser and log in. Apple will display a banner explaining that ADP is on and how to proceed. Select an app such as Photos. Apple sends access requests to trusted devices. On your trusted device, tap or .[アクセスを許可]Click (Fig. 100). Trusted devices display a banner warning you that you have enabled temporary access.

Data is accessible for 1 hour from each request. A separate permission request and approval may be required for each additional data type to be accessed, unless requested immediately after the previous request.

Disable Advanced Data Protection

Disabling ADP is easy.[設定](iOS/iPadOS)/[システム設定](macOS) >[アカウント名]>[iCloud]>[高度なデータ保護]Go to.[高度なデータ保護をオフにする]or tap[オフにする]Click. I understand and agree that following the prompts will remove E2EE protection from various types of synced and stored data.

