Turning on End-to-End Encryption
How to sync your portfolio across your devices while retaining full privacy.
Last updated
How to sync your portfolio across your devices while retaining full privacy.
Last updated
You can sync your Portfolio Tracker across your devices in a fully-private manner by using end-to-end encryption for iCloud documents. Apple calls this feature "Advanced Data Protection".
See this guide to find out how to turn it on.
Advanced Data Protection for iCloud is an optional setting that offers Apple’s highest level of cloud data security. When a user turns on Advanced Data Protection, their trusted devices retain sole access to the encryption keys for the majority of their iCloud data, thereby protecting it with end-to-end encryption.
You can turn on Advanced Data Protection on an iPhone with iOS 16.2, iPad with iPad OS 16.2, or a Mac with macOS 13.1. Turning on Advanced Data Protection on one device enables it for your entire account and all your compatible devices.
Open the Settings app.
Tap your name, then tap iCloud.
Scroll down, tap Advanced Data Protection, then tap Turn on Advanced Data Protection.
Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.
Choose Apple menu > System Settings.
Click your name, then click iCloud.
Click Advanced Data Protection, then click Turn On.
Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.
When the user turns on Advanced Data Protection, their trusted device performs two actions: First, it communicates the user’s intent to turn on Advanced Data Protection to their other devices that participate in end-to-end-encryption. It does so by writing a new value, signed by device-local keys, into its iCloud Keychain device metadata. Apple servers can’t remove or modify this attestation while it gets synchronized with the user’s other devices.
Second, the device initiates the removal of the available-after-authentication service keys from Apple data centers. As these keys are protected by iCloud HSMs, this deletion is immediate, permanent, and irrevocable. After the keys are deleted, Apple can no longer access any of the data protected by the user’s service keys. At this time, the device begins an asynchronous key rotation operation, which creates a new service key for each service whose key was previously available to Apple servers. If the key rotation fails, due to network interruption or any other error, the device retries the key rotation until it’s successful.
After the service key rotation is successful, new data written to the service can’t be decrypted with the old service key. It’s protected with the new key which is controlled solely by the user’s trusted devices, and was never available to Apple.
When a user first turns on Advanced Data Protection, web access to their data at iCloud.com is automatically turned off. This is because iCloud web servers no longer have access to the keys required to decrypt and display the user’s data. The user can choose to turn on web access again, and use the participation of their trusted device to access their encrypted iCloud data on the web.
After turning on web access, the user must authorize the web sign-in on one of their trusted devices each time they visit iCloud.com. The authorization “arms” the device for web access.
Advanced Data Protection is designed to maintain end-to-end encryption for shared content as long as all participants have Advanced Data Protection enabled. This level of protection is supported in most iCloud sharing features, including iCloud Drive shared folders.
iWork collaboration and sharing content with “anyone with the link,” don’t support Advanced Data Protection. This means the shared content is not end-to-end encrypted even when Advanced Data Protection is enabled.
If you want to give someone access to your portfolio in a fully private manner, we recommend placing the Numbers file inside a shared iCloud folder and making sure both parties have Advanced Data Protection enabled.
