![imagen[1]-How Meta Is Strengthening End-to-End Encrypted Backups For Windows 7,8,10,11-Winpcsoft.com](https://winpcsoft.com/wp-content/plugins/wp-fastest-cache-premium/pro/images/blank.gif)
The HSM-based Backup Key Vault
Metas HSM based Backup Key Vault Provides the foundation for end-to-end encrypted backups for WhatsApp and Messenger. The system allows users to protect their backed up message history with a recovery code, ensuring that the recovery code is stored in tamper-resistant hardware security modules (HSMs) and is inaccessible to Meta, cloud storage providers or third parties. The vault is deployed as a geographically distributed fleet across multiple data centers and provides resiliency through majority consensus replication.
At the end of last year we did made it easier to encrypt your backups end-to-end using passkeysand now we continue to strengthen the underlying infrastructure that protects password-based end-to-end encrypted backups with two updates: over-the-air fleet key distribution for Messenger and a commitment to publishing evidence of secure fleet deployments.
Over-the-air fleet key distribution
To verify the authenticity of the HSM fleet, clients validate the fleet’s public keys before establishing a session. In WhatsApp, these keys are hardcoded into the application. To support Messenger – where new HSM fleets need to be deployed without requiring an app update – we have developed a mechanism to wirelessly distribute fleet public keys as part of the HSM Response. Fleet keys are delivered in a validation package signed by Cloudflare and countersigned by Meta, providing independent cryptographic proof of their authenticity. Cloudflare also maintains an audit trail for each validation package. The full validation protocol is described in our white paper: “Security through end-to-end encrypted backups."
More transparent fleet deployment
Transparency in the deployment of our HSM fleet is critical to demonstrate that the system is working as intended and Meta cannot access users’ encrypted backups. We will now publish evidence of the safe deployment of each new HSM fleet on this blog site, further solidifying our efforts Leader in secure encrypted backups. Deployment of new fleets occurs infrequently – typically no more than every few years – and we strive to demonstrate to our users that each new fleet is deployed securely. Any user can verify this by following the steps in the Verification section of our white paper.
Read the white paper
The full technical specification of the HSM-based Backup Key Vault can be found in full white paper: “Security through end-to-end encrypted backups."