In this episode, Marty and Damashe discuss the ins and outs of iCloud encryption. Damashe explains the difference between regular encryption and advanced data protection, and the implications of each. He also discusses alternative options for those who may not want to use iCloud encryption, such as using a UB key or storing sensitive information in a secure note within iCloud Keychain.
Marty and Damashe also touch on the importance of two-factor authentication and being mindful of what information is stored on cloud services. Damashe also mentions how Apple Watch can be used as an authenticator for added convenience.
Overall, the main takeaway from the episode is the importance of not forgetting passwords when using advanced data protection, as it can result in losing access to all stored data.
Please note that the following is an automatic generated transcript using AI. Any errors or discrepancies may occur.

Michael:
[0:07] Welcome back to another Unmute podcast. Happy Thursday. I am here with Marty and we have a special guest here. How goes it Marty?

Marty:
[0:16] Pretty good. Hey all, how’s it going? Well, today we do have a special guest, friend of the show and personal friend of ours, Damasi say hello.

Damashe:
[0:25] Good afternoon. Happy Thursday to everybody.

Marty:
[0:28] So today we’re going to be talking about encryption, specifically iCloud encryption, which was introduced about a month or so ago in a recent update.
So Damasi, do you want to start with explaining what this is and how it works?

Damashe:
[0:48] Yep, so in December, and I am a terrible, terrible preparer, because I don’t know the
exact date but I do know when iOS 16.2 was released, iPad OS 16.2, Mac OS 13.1
and whatever version of audio OS for the HomePod and tvOS is out. They were all
updated in December. With those updates Apple introduced what they call advanced data protection for iCloud.
And what this really means at its bare bones is that Apple is giving you the ability,
to now take control of holding your own encryption keys so that they no longer have access to the things that you have stored in iCloud,
that they previously had access to.
This does get a little down in the weeds a bit because there’s data Apple has always never had access to.
So your health data, your keychain data, if you use iCloud keychain, they’ve never been able to access that data. They’ve never had access to it. They’ve never had the encryption keys to that stuff from day one that they introduced it.
However, they’re bringing those protections forward to other services, which include iCloud Drive, your photos, and some app data, depending on whether or not the developers choose to take advantage of the APIs that are exposed for them.

Marty:
[2:16] Well, maybe we can take a step back just for a quick sec and for those maybe who don’t know or maybe don’t understand
Maybe we can explain what exactly encryption is.

Damashe:
[2:28] Encryption is at a very basic point, and excuse me, anybody that really gets down and understands this a lot, but to kind of simplify it the way I explain it to people is encryption is scrambling your electronic data
so that it cannot be read by someone who does not have the key. And you can think of the key simply as a password. You know, that’s simplifying it a little bit,
but you can think of your key as a password. So a very quick example, if I have a file on my computer, just a regular plain text file, and I write in my credit card number and all of that information, social security number,
if I wanna make sure no one else but me can read that file, then I am going to encrypt that file with some piece of software that will basically scramble that data.
So if anyone comes along and opens up that file, all they’ll get is gibberish. The only way to get that file back into a readable state would be for me to enter a password that then would unscramble that data and allow it to be read.

Marty:
[3:27] And how do we know if this is something that you would want to turn on or not? How would I know? Do I want this turned on? Do I not want it turned on? How would
this benefit me or maybe not benefit me and get me into trouble that I might be in a bigger hole than I would want to be in.

Damashe:
[3:46] That’s a very good question, Marty. So we’re going to start with some reasons why you may not want to do this and some of the caveats to think about before
even going down the path of exploring turning it on because it’s not for everyone. Apple has introduced this because a lot of people do need theseprotections but not everybody does. One caveat to this is if you turn on,
advanced data protection for iCloud you then become responsible for your data 100% Apple syncs it for you, absolutely.
And they also make sure, you know, they do a lot of double checking and ensuring
that you have certain things in place before you turn this on. And I’ll cover some of those a little bit later,
but you don’t need this if you’re just a casual user and you don’t feel that you have to protect your data. It’s entirely up to you,
but be aware that if you do this, like you and a trusted recovery person are the only people that will be able to help you get back into your data.
So if you lose your phone or you lose your iCloud password, Apple does have in place the trusted recovery person that can help recover your account.

[4:59] But you’re not going to have a link where you can go to apple.com or iCloud.com and click I forgot my password and restore the data that was encrypted in iCloud Drive or restore the data that was encrypted in Health.
And I’ll give an example that many people unfortunately have experienced.
If you wipe a device and you did not have an iCloud backup or you wipe a device and you don’t have the ability to unlock your keychain, because let’s say for example, and I had this happen to somebody recently, they lost their iPhone, where their iPhone got damaged.
They got a whole new iPhone replaced.
They signed in with their Apple ID and all of that stuff.
For whatever reason, this person could not remember their old iPhone password,
and they didn’t have another Apple device to pull a password from either, so they were not able to access their key chain, which means anything that was stored in their key chain is now lost to them forever, because they did not have a way to access that.
And Apple does not hold a key to get you back into your iCloud key chain.
So they lost their key chain data. They weren’t using key chain as their primary password manager, but any data there is gone.
The health data that they had stored is gone, because they were not able to unlock their iCloud keychain
because they didn’t have the key that was being requested, which in this case was the password from the previous phone that they had lost maybe a week ago, something like that.

Marty:
[6:21] And it’s just with encryption on or with the encryption off.

Damashe:
[6:25] So that scenario I just described with the keychain, that is whether you have this advanced data protection on or not for iCloud, because again, Apple does not hold the keys for your iCloud keychain.
They do not hold the keys to decrypt your data. So only your devices have the ability to decrypt the data in your keychain and in your health.

Marty:
[6:45] So, the lesson to be learned here is don’t forget your password.

Damashe:
[6:48] Exactly, exactly. Or make sure you have a device you know the password for. Now, with advanced data protection on, this person would have lost access to anything that they had stored in iCloud as well.
So any files that they stored in iCloud Drive would have been lost, their photos would have been lost to them because they would have also been encrypted.

Marty:
[7:08] And there’s no way Apple can help you if you have this iCloud encryption turned on, right?

Damashe:
[7:14] That is correct. Apple has no way. It is what they call trust no one encryption, which means things are encrypted. They can be synced. They can be shared.
They can be, you know, you can, anybody can gain access to this data once it’s encrypted this way, and nobody can decrypt it. It’s up to you and your trusted devices.
Whereas the way things stand for everyone today
that does not have this feature yet turned on,
or chooses not to ever turn this feature on,
is Apple has the ability to help you get back into your account. Apple has the ability to help you restore your photos
because your data itself is encrypted on Apple servers, it’s just that Apple has the key.
And to give you a different sort of perspective of that, think of when you own your house versus renting a house.
Typically when you own a house, you and whoever you give a key to are the only people to have a key to enter your home.
Whereas typically when you’re renting a home or an apartment, you have a key, somebody else you give a key to will have a key, but your landlord also has a key.
So if you lock yourself out of the house, you can call your landlord up and say, hey, sorry, can you come unlock my door for me, please?
So I don’t have to break a window to get in. Well, up under the advanced data protection rules, there’s no landlord to come bring your key and let you in.There’s no locksmith to come pick your lock and get you in either. And there’s not a window for you to break either. So you’re just locked out of your house.

Marty:
[8:32] Yeah. So again, the lesson to be learned here is absolutely do not forget your password or you are going to lose all of your data.
So don’t forget your password, write it down, take a picture of it, do whatever you got to do. Don’t forget your password. if you’re going to turn on iCloud encryption.

Damashe:
[8:52] Yeah, and I would also say for people, you know again, It’s your choice whether or not you choose to turn this on.
I will turn it on at some point because I need to really truly understand like how it works and where are those rough edges that you know cause problems or things that you have to consider and I probably have a very good document on what gets encrypted, how it works, how they handle sharing because you’re still able to share, you know, iCloud data.

[9:15] Documents, you’re still able to share photos and things like that and they handle those situations and they’ve done a very good job at architecting this. However,
If this is at all a thing that you’re like, I don’t know, I’m not sure, or you’re concerned,
or anxious at all about losing access to your data and not having any other means to recover
other than a trusted person, don’t do it. I’ll put this caveat in right now.
So I don’t personally know how the trusted recovery person works because I have not set this up yet. So I don’t know. I don’t think they have the ability to just, you know, hop into your iCloud data whenever they feel like it. have the ability to help you recover your account.
However, if you don’t have a person like that around that is trusted enough for them to be that support person to help you back in if you get in trouble, again, don’t do it.
If you’re one of those people who are like, I don’t have anything to hide. I don’t care who sees what. It doesn’t matter to me.
Don’t do it. You don’t have to do it. It’s not a thing you’re being forced to do. It’s not a thing that is even easy to do. Because Apple does make you jump through quite a few hoops to ensure that you understand what you’re getting yourself into.

Marty:
[10:24] So for those people who maybe like options or for those people who maybe,
this sounds scary and they don’t want to dive in, let’s talk about maybe a couple of options they could do aside from iCloud encryption.
We’ve got, you know, other services, other applications. And so if we were going to have a secondary option, what would your
suggestion be for a secondary option? I know a lot of people really are into the UB keys and stuff like that. Maybe you want to talk about that and how that works a little bit if someone wants a secondary option instead of using this Cloud Encryption.

Damashe:
[11:06] So the iCloud encryption is just that. It is encrypting more of your data is always encrypted. I want to make sure everybody’s clear about that.
And Apple is just Apple currently has a key, right? If you go to the advanced encryption, then they don’t have the keys, which means Apple can’t turn your data over to the FBI or whoever else may come knocking
from a government or law enforcement agency,
or even to malicious hackers, right?
You know, they can’t give it to them. They’re like, well, we can’t give you Demasi’s data because we don’t have, I mean, we can give you the data. We just can’t help you decrypt it and read it
because we don’t have the keys. If you’re looking for a little bit more protection first,
you should always have on two factor. I think Apple is really at the point right now, it’s very difficult to have an Apple ID without having two factor set up.
They are introducing more advanced two factor methods at some point, those are currently not out as far as I know.
If you are a person that you don’t want everything encrypted or iCloud is not even the primary place that you store a lot of data,
but you are concerned about encryption or protecting your data that goes across the internet through the cloud, again, I want to be very clear.
Any cloud storage servers I’m familiar with, whether that be iCloud, Dropbox, Google Drive, OneDrive, all of these companies do encrypt your data while it’s moving across the internet.
So no random person in a coffeehouse should be able to read your information.
And they also encrypt your data.

[12:29] Typically it’s encrypted at rest, which means while it’s on their server, it’s not actively moving, It’s just sitting there. It’s still encrypted.
Again, it’s like iCloud, though.
Dropbox has the keys to Dropbox. Google has the keys to Google. So they could read your data. They can hand your data over.

[12:44] If they are breached at any point by a malicious actor, and the malicious actor manages to gain access to those keys, then, well, now this person has access to your data.
So be mindful of that. And I always tell people, be mindful of what you put on a cloud service. because any employee of that company has the ability to probably read that data. Most certainly their IT staff has the ability to read your data.
Maybe the frontline customer service person that helps you reset your password can’t, but there are people at the company that can read your data. So don’t put anything there that you are truly afraid to have get out into the world.

[13:21] Now, an option for having some level
of better protection for your data, again, just to start with Apple, right?
ICloud Keychain. Apple never has had access to iCloud Keychain. So, you know, safe to store your passwords. They can’t read them. They can’t hand it over to anybody.
They also have secure notes inside of your iCloud Keychain. So if there’s information, again, I go back to something like maybe a social security number or, you know, the super secret combination to your vault that’s in the closet.
You know, maybe you put that in a secure note in iCloud Keychain, which means it’s protected.
You have access to it. and by all means you should really be able to access that from any device that supports iCloud and iCloud Keychain. So that is a way to securely store that information for you.

Marty:
[14:09] And when that note be the same kind of note that you would say, for example, open up your your Apple Notes app and make a note there,
put some kind of sensitive information, and then put a lock on that note.

Damashe:
[14:21] Not exactly the same because I’m not quite 100% sure how the notes encryption works,
like what the underlying architecture to that is. I don’t know if Apple could unlock that note for you or not. Inside of your keychain, however, a secure note is just a edit field where you type in a bunch of stuff.
There’s nothing fancy. There’s no shapes, no check boxes, no none of that sort of stuff in a secure note.
And I know for sure Apple could not access that data. in your notes application, however, you do have that ability, as Marty mentioned, to encrypt a note
or lock a note with a password or touch ID or face ID, which is in a lot of cases a reasonable
protection for you because if someone else accesses your device, unless they have access to your password that you used or your face or your finger, they’re not going to be able to unlock that note.

Marty:
[15:13] One thing I’ve been enjoying a lot, which is pretty convenient, is actually using my Apple Watch as an authenticator to get in instead of having to punch in a password all the time,
or maybe using my face all the time so that’s a good way to go if you have an Apple watch.

Damashe:
[15:32] Apple Watch tells with, you know, unlocking your, I use it all the time to unlock my Mac, to unlock my password manager, which is one password,on the Mac all the time, because I use a Bluetooth keyboard.
So my laptop is about a foot away from me.
So I don’t have to lean up if I could just double click Apple Watch that is a handy feature.

Marty:
[15:53] Yeah, I love it. I use it all the time as well. Cool. Well, this has been a great primer on iCloud encryption. And Damasi, thanks for coming and help us explain all of this.
So if people want to find out more about what you’re doing, How would people check out your work and what you’re up to?

Damashe:
[16:12] So the best way to find me is go to bedrockinnovations.com or drop an email to hello at bedrockinnovations.com.

Imaging

Marty:
[16:22] All right. And thanks to Masi once again. We appreciate it.
Always having you on to explain some of this hard stuff. And to everyone else, if you want to get ahold of us,
you can reach us at unmutepresents at gmail.com.
And we’ll see you next time. Thanks.

Transcript

Support Unmute Presents by contributing to their tip jar: https://tips.pinecast.com/jar/unmute-presents-on-acb-communi

This podcast is powered by Pinecast. Try Pinecast for free, forever, no credit card required. If you decide to upgrade, use coupon code r-e4dc67 for 40% off for 4 months, and support Unmute Presents.