Does iCloud use client-side encryption?
I would like to know if iCloud uses client-side encryption i.e. all data is encrypted on client side and even Apple can't decrypt the data and read it.
Is this true for iCloud?
Solution 1:
No.
Apple securely transmits and stores the data to the cloud by using secure tokens for authentication - as officially stated in the iCloud security and privacy overview1 and the iCloud design guide2.
Apple also states they they will "never provide encryption keys to any third parties", which of course is not entirely true due to the Patriot Act3.
ArsTechnica states that Apple holds a master encryption key4 and is able to unencrypt any personal data - i.e. also for government requests. "This includes contacts, notes, unencrypted e-mails, application preferences, Safari bookmarks, calendars, and reminders." The data is only encrypted during transit and again when stored on Apple's servers. This is a necessity if Apple wants to provide browser access to iCloud data.
The Electronic Frontier Foundation notes5 that Apple is not inclined to be transparent about government requests.
As far as I understand the concept of client-side encryption, it suggests that all encryption must happen by the client as keys are not stored on the server (zero-knowledge policy).
Because Apple encrypts the data itself on the server for browser access it must store a key. Hence this is no client-side encryption.
1 - http://support.apple.com/kb/HT4865
2 - https://developer.apple.com/library/.../iCloudDesignGuide
3 - http://en.wikipedia.org/wiki/Patriot_act
4 - http://arstechnica.com/...apple-holds-the-master-key.../
5 - https://www.eff.org/pages/who-has-your-back/