How to: Encrypt Your iPhone
Encrypting the data on your iPhone isn't as simple as creating a password . Since a lot of your data is also likely stored online, it's also important to understand how that online storage works, and to consider enabling an additional feature that better secures that data.
How Data is Encrypted on Device anchor link
If you have an iPhone or iPad, you can protect the contents of your device using encryption . That means that if someone gets physical access to your device, they will also need your passcode to decrypt what's stored on it, including contacts, instant messages or texts, call logs, and email.
Modern Apple devices encrypt their contents by default, with various levels of protection, depending on what generation of phone you have and what state your phone is in (such as whether it's locked or unlocked, or whether it was just booted from a powered off state).
To protect against someone obtaining your data by physically stealing your device, you need to tie that encryption to a passphrase or code that only you know.
According to its guide for law enforcement, with a passcode enabled, Apple cannot help law enforcement extract information: "For all devices running iOS 8.0 and later versions, Apple is unable to perform an iOS device data extraction as the data typically sought by law enforcement is encrypted, and Apple does not possess the encryption key . All iPhone 6 and later device models are manufactured running iOS 8.0 or a later version of iOS." However, note that some law enforcement departments may have other means to access the data on your phone without needing Apple's assistance.
In the U.S., using a biometric—like your face scan or fingerprint —to unlock your phone may also compromise legal protections for the contents of your phone afforded to you under the Fifth Amendment privilege against compelled incrimination. Under current U.S. law—which is still in flux—using a memorized passcode generally provides a stronger legal footing to push back against a court order of compelled device unlocking/decryption. While EFF continues to fight to strengthen our legal protections against compelling people to decrypt their devices, there is currently less protection against compelled face and fingerprint unlocking than there is against compelled password disclosure.
You may have set up some sort of passcode when you first got your iPhone, but if you opted not to do so, or you'd like to change how you unlock your device, you can do so by heading to Settings > Face (or Touch) ID & Passcode. Here, you can set up an unlocking method or disable a biometric login in favor of a passcode-only by unchecking the "iPhone Unlock" option under "Use Face (or Touch) ID for."
If you'd like, you can also change the requirements for the passcode your phone uses. Open Settings > Face (or Touch) ID & Passcode and tap "Change Passcode" (it will display "Set Passcode" if you did not enable one when you first set up your phone). When prompted to "Enter your new passcode," tap "Passcode Options" and you're offered the choice between different numeric lengths or an alphanumeric (both letters and numbers) code.
If for any reason you need to temporarily prevent Face (or Touch) ID from unlocking your iPhone, you can do so without jumping into menus:
Press and hold the side button and either volume button until the power off slider/emergency call option appears (you can do this whether your phone is locked or unlocked). If you click “cancel,” your phone will now require a passcode to unlock it.
How iCloud Data Is Encrypted anchor link
If you use an Apple device, there's a good chance you're storing at least some data on Apple's cloud service, which it calls iCloud. This can include a variety of information, ranging from your contact lists and app files to an entire backup of your iPhone. Some of this data is end-to-end encrypted—meaning only you will have the means to decrypt the data, not Apple—by default, while some of it is not.
Apple refers to its iCloud encryption categories as "Standard Data Protection," or "Advanced Data Protection." Standard is a type of encryption enabled by default, while Advanced is a feature you'll need to optionally turn on.
What "Standard Data Encryption" Means anchor link
Standard Data Protection means that much of the data stored in iCloud is stored with encryption keys that Apple has access to. The encryption keys from your devices are stored on Apple's servers, so Apple can decrypt that data when needed. This means the company can also help you recover your password if you've forgotten it. Even with Standard Data Encryption, some data is end-to-end encrypted, including potentially private information like Journal data, Health data, Wallet passes, and any passwords you store in the built-in password manager .
However, Standard Data Encryption does not encrypt an iCloud Backup of your device or the backup of conversations in Messages end-to-end. This means that Apple has access to encryption to the keys to decrypt that potentially sensitive data.
What "Advanced Data Protection" Means anchor link
Advanced Data Protection enables end-to-end encryption of data that with Standard Data Protection is only encrypted in transit and on Apple's servers. In other words, you can now control the encryption keys and Apple will not be able to access any of this data. It also means Apple may not be able to help you regain access to your account. Advanced Data Protection includes a lot of crucial information, including your iCloud backup (which includes the backup of Messages), iCloud Drive, photos, notes, reminders, and more detailed in the table below.
With Advanced Data Protection enabled, your backups and most important files get the end-to-end encryption benefit, better securing your files against mass surveillance, rogue Apple employees, or potential data leaks. The trade-off is that Apple cannot help you recover this data if you lose access to your account, or any devices where the keys are stored. To protect against this, Apple allows you to create a recovery key you store yourself, or you can assign recovery contact, a trusted person who can then provide a code that will help you regain access to your account. Your recovery contact cannot access any of your iCloud data.
There are still some types of data not included in Advanced Data Protection. Mostly this is data built around pre-existing standards, including Calendars, Contacts, and iCloud Mail. These will continue to be stored with Standard Data Protection. As noted in its guide for law enforcement, Apple also still collects some metadata about backups, iCloud Drive files, photos, notes, bookmarks, and messages.
Likewise, not all apps that use iCloud to sync or backup data will support Advanced Data Protection, and you may need to contact the developer of an app directly for clarity about how the app stores data. This may be more important to know for certain types of apps, like a notes or journaling app, than others, like a recipe storage app.
If data is stored with Advanced Data Protection, then your devices hold the keys to decrypt that data. If it's stored with Standard Data Protection, then Apple holds the keys, which means the company technically has the ability to decrypt that data itself, potentially including in response to requests from law enforcement.
Is the iCloud data end-to-end encrypted? anchor link
Standard Data Protection |
Advanced Data Protection |
|
Apple Card Transactions |
✔️ |
✔️ |
Calendars |
||
Contacts |
||
Freeform |
✔️ |
|
Health Data |
✔️ |
✔️ |
Home data |
✔️ |
✔️ |
iCloud Backup |
✔️ |
|
iCloud Drive |
✔️ |
|
iCloud Mail |
||
Journal data |
✔️ |
✔️ |
Maps |
✔️ |
✔️ |
Memoji |
✔️ |
✔️ |
Messages in iCloud |
✔️ |
✔️ |
Notes |
✔️ |
|
Passwords and Keychain |
✔️ |
✔️ |
Payment Information |
✔️ |
✔️ |
Photos |
✔️ |
|
QuickType Keyboard Learned Vocabulary |
✔️ |
✔️ |
Reminders |
✔️ |
|
Safari |
✔️ |
✔️ |
Safari Bookmarks |
✔️ |
|
Screen Time |
✔️ |
✔️ |
Siri Information |
✔️ |
✔️ |
Siri Shortcuts |
✔️ |
|
Voice Memos |
✔️ |
|
W1 and H1 Bluetooth Keys |
✔️ |
✔️ |
Wallet Passes |
✔️ |
|
Wi-Fi Passwords |
✔️ |
✔️ |
How Data is Secured When Sharing or Collaborating anchor link
If you use any of Apple's collaboration tools to share data with others, then there are a few things to consider with how end-to-end encryption works.
Advanced Data Protection is maintained for shared content as long as it's shared with someone else who has Advanced Data Protection enabled. If you have an iCloud Drive shared folder, shared Notes, or use iCloud Shared Photo Library, all participants must have Advanced Data Protection enabled for sharing to work. For example, if you have an iCloud Drive folder that you share with someone, and you both have Advanced Data Protection enabled, then that folder will remain end-to-end encrypted. However, there is no indication when sharing files if the person you are sharing with has Advanced Data Protection enabled, so be sure to check with other people before sharing important files with them.
However, if you use any sort of iWork collaboration, like working with others on a document in Pages or Numbers, those files are not end-to-end encrypted. Likewise, if you share a file or folder using the "anyone with the link" option from an app, like Files or Photos, then that is no longer end-to-end encrypted. In these cases, Standard Data Protection is used.
How to Enable Advanced Data Protection anchor link
You can enable Advanced Data Protection from an iPhone, iPad, or Mac, and it'll apply across every other Apple device you own.
But before you can turn it on, you need to take a couple steps: enable two-factor authentication for your Apple account if you haven't already, and update all your Apple devices (to at least iOS 16.3, iPadOS 16.3, macOS 13.2, tvOS 16.3, watchOS 9.3, though globally you may need to use a more recent update), or newer. If you have older devices connected to the iCloud account that you’re enabling ADP on, and they can't be updated, you may want to reconsider enabling Advanced Data Protection for now. We'll get into why and offer an alternative approach below. If you can update, follow these steps to turn on end-to-end encryption:
- On iPhone or iPad, open Settings (or System Settings on Mac) > "Your name" > iCloud > Advanced Data Protection > Account Recovery. Here, you're offered one of two options for a recovery method. This helps you regain access to your account since Apple will not be able to help you. You have to pick at least one recovery method, or you can do both:
- Recovery contact: This is a friend or family member who owns an Apple device and who can help you regain access to your account if needed. They will not be able to access any of your data, but will instead be able to send you a recovery code that will get you back in. You can remove them from this same menu in the future, if you need to.
- Recovery key : This is a 28-character code that gets you back into your account if needed. Apple doesn't get a copy, so if you lose it, you may lose access to your Apple account for good. If you choose this method, you'll need to type the key in a couple times, so write it down.
- Head back to the Settings (or System Settings on Mac) > "Your name" > iCloud Advanced Data Protection > Account Recovery menu and tap "Turn on Advanced Data Protection" and follow the prompts. You'll need to enter your phone's PIN and the recovery key, if you choose that recovery method.
Once Advanced Data Protection is set up, you shouldn't ever have to think about it again unless you try to set up a new device that shipped with an older version of the OS (in which case you may need to temporarily disable Advanced Data Protection), you need to do an account recovery, or you need to access your iCloud data from a browser. If you do regularly access data from iCloud.com, head into Settings > "Your name" > iCloud and tap Access iCloud Data on the Web to turn on access if you need it.
If you have an older device that can't be updated to iOS 16.3 or newer, enabling Advanced Data Protection is only possible if you remove your Apple ID from that device. In many cases, this makes that device useless. For example, if you have an older Apple TV that cannot be updated, removing it stops you from accessing the App Store with your Apple ID, preventing you from using Netflix, Hulu, and any number of other apps. Apple should make this process smoother, giving people the option to sign up for Advanced Data Protection without removing the Apple ID from older devices, even if that means cutting off access to certain sharing features, like iCloud Drive or Apple Photos.
All's not completely lost, though. For some devices, like an Apple TV or an older MacBook, a workaround for this quirk is to create a second Apple ID, then assign it as a family member in Family Sharing, which should pass along many of your subscriptions or App Store downloads, but won't grant that device access to the type of data included in Advanced Data Protection. For example, you won't be able to access your photo library, but you could still access a Netflix subscription you pay for through Apple (if you don't pay for any subscriptions through Apple, you won't have anything to worry about). This can be a tedious process to set up. This workaround won't work for a device that relies more heavily on synced data, like an Apple Watch.