How to turn on end-to-end encryption on iPhone

Your iPhone holds a vast amount of sensitive data: everything from messages and photos to health and financial records. Some types of data (like health data, passwords stored in iCloud Keychain, and payment information) are already protected with end-to-end encryption on iOS by default. This means that the encryption keys are stored only on your devices, and not even Apple can access or decrypt this information.
However, plenty of other iCloud data (device backups, iCloud Drive files, Notes, and Photos, for example) isn’t end-to-end encrypted by default. They’re encrypted in transit and at rest, but Apple still holds the keys, which means it could, technically, access that data, and so could intruders in case of a cloud breach. Advanced Data Protection changes that by expanding end-to-end encryption to nearly all iCloud data categories (25 in total, compared to 15 with Standard Protection).
With this feature enabled, your trusted devices become the sole custodians of the encryption keys. Apple can no longer assist you in recovering your data, so setting up recovery contacts or a recovery key becomes essential. This guide will show you how to turn on Advanced Data Protection and what to consider before you do.
Before you begin
Setting up end-to-end encryption on your iPhone is straightforward. You simply turn on Advanced Data Protection on one of your devices, and it enables it for your entire account and all your compatible devices (not just the iOS ones). That said, there are a few things you should check first.
1. Update to the latest iOS version
Every device signed in with your Apple ID must be running the latest version of iOS. This includes your iPhone (iOS 16.2 or later), iPad (iPadOS 16.2 or later), Mac (macOS 13.1 or later), Apple Watch (watchOS 9.2 or later), and Apple TV (tvOS 16.2 or later). Updates often include important security fixes and new privacy features. To update:
- First, back up your device using iCloud or your computer. Then, open Settings > General and tap Software Update. If an update is available, tap Update Now or Download and Install (depending on your device) and wait for your phone to restart.
- You can also set your device to run automatic updates. Go to Settings > General > Software Update > Automatic Updates and toggle on iOS Updates to both automatically download and install.
2. Turn on two-factor authentication
Two-factor authentication (2FA) adds a one-time code to your password. Without it, Advanced Data Protection will not start. Check if 2FA is on. If it isn’t, turn it on in the following way:
- Tap Settings > [Your Name] > Sign-In & Security.
- Tap Two-Factor Authentication, tap the method you want to use for verification (trusted phone number, trusted device, security key, or verification code), and make sure Two-Factor Authentication is toggled on.
Why this extra step? End-to-end encryption relies on trusted devices. If a thief guesses your Apple ID password, the one-time code blocks them from adding a new device and grabbing your keys.
Note: Advanced Data Protection can’t be used with Managed Apple IDs or with accounts set up for children.
How to enable end-to-end encryption on iPhone
Before we get into how, think through the risks before turning this feature on. Consider these questions:
- Are you ready to be your own backup? Once this feature is active, your data rests on you alone. If you’d rather keep Apple’s recovery help in your back pocket, stay with the default option.
- Are you confident you can guard your Recovery Key? Or keep a trusted contact reachable? Lose that key or contact, and you’re locked out for good.
- Do you depend on iCloud.com over other machines? This feature blocks direct web access. You can still grant one-time access from a trusted Apple device, but that extra step can slow you down.
Step-by-step guide to turn on Advanced Data Protection
Once you have completed the prerequisites, you can enable end-to-end encryption. It involves a few steps. Some features are on by default, but others need to be enabled manually. To turn it on:
- Tap Settings > iCloud, scroll down, and turn on Advanced Data Protection.
- Follow the onscreen instructions to review your recovery methods. If you haven’t set up a Recovery Key or Recovery Contact yet, follow the steps below.
Set up your Recovery Key
The Recovery Key is one of the two recovery methods you can use if you forget your Apple ID while Advanced Data Protection is switched on. Use these steps to add or update your Recovery Key:
- Go to Settings > [Your Name] > Sign-in & Security. Under Recovery methods, tap Recovery Key.
- Then toggle on Recovery Key and tap Use Recovery Key.
- Write down the key and keep it in a safe place. Then, tap Continue, retype the 28-digit recovery key to verify it, and tap Next.
Set up your Recovery Contact
An Account Recovery Contact is a trusted friend or family member who can help you regain access to your account. This person does not get any access to your data; they can only generate a six-digit recovery code for you upon request.
If you are locked out, you can contact them, and they can get a code from their Apple device’s settings. Entering this code on your device will allow you to reset your password and regain access. Here’s how to set it up:
- Go to Settings > [Your Name] > Sign-in & Security and tap Recovery Contacts > Add Recovery Contact. Follow the onscreen prompts to authenticate.
- Your device will recommend people from your Family Sharing group first. If you prefer, tap Choose Someone Else to pick from your full contacts list.
Family members are added automatically. If you choose another contact, they will first need to accept your request. You’ll be prompted to send a message to let them know. Once they approve, you’ll get a notification confirming they have been added as your recovery contact.
All devices must run iOS 15, iPadOS 15, watchOS 8, or macOS Monterey or later. You may be prompted to update or remove any that don’t work, plus you must be at least 13 years old and have 2FA turned on for your Apple Account.
Remember: When you turn on Advanced Data Protection, it disables web access to your iCloud data at iCloud.com. This adds an extra layer of security by restricting access to your trusted devices only. You can choose to restore web access, but you’ll need to approve each temporary session using one of your trusted devices.
Enable iMessage and FaceTime encryption
iMessage and FaceTime are end-to-end encrypted by default. You don’t need to do anything extra to protect these. This means when you send a message with iMessage, only you and the recipient can read it. FaceTime calls are also encrypted, so only you and the person you call can hear or see the conversation.
For an even higher level of security, you can enable iMessage Contact Key Verification (available on iOS 17.2 or later). This feature helps you verify that you are messaging the intended person and not an impostor. To turn it on:
- Go to Settings > [Your Name] > Contact Key Verification. Turn on Verification in iMessage.
Once enabled, you can verify a contact by comparing a code that you both generate on your devices. You can do this in person, on a FaceTime call, or through another secure call. If the codes match, you can mark the contact as verified.
Check encryption status in iCloud settings
The easiest way to confirm that your iCloud data is encrypted is to check the setting itself.
- Settings > [Your Name] > iCloud. Tap on Advanced Data Protection. If the feature is listed as On, then the expanded list of data categories, including, e.g., iCloud Backup, Photos, and Notes, is now end-to-end encrypted.
Another indicator is that web access to your data at iCloud.com is automatically disabled when you enable Advanced Data Protection. This is because Apple’s web servers no longer have the keys required to decrypt and display your data.
Remember: Even with Advanced Data Protection enabled, a few categories, including iCloud Mail, Contacts, and Calendar, remain under standard encryption. This is because they need to interoperate with the standard email, contacts, and calendar systems used by other providers. Apple still encrypts this data in transit and on its servers.
What to do if you forget your encryption credentials
When you enable Advanced Data Protection, you gain privacy, but you also take on a new responsibility. A clear warning is presented during setup: if you use Advanced Data Protection, you’re responsible for your data recovery.
When Apple deletes its copies of your encryption keys, it can no longer help you regain access to your account or data if you forget your password. This is why Apple requires you to set up at least one alternative recovery method before you can turn on the feature.
Without a recovery method, forgetting your password could mean permanently losing access to years of photos, notes, documents, and device backups. With that in mind, here’s what you can do if you forget your credentials.
Recover access using the Recovery Key
Your Recovery Key is the 28-character code that was generated when you set up Advanced Data Protection. In a situation in which your device gets lost, stolen, or damaged and you don’t remember your password, you can use it to recover access to your Apple account on a different Apple device. Apart from an Apple device and the Recovery Key, you’ll also need a trusted phone number (unfortunately, if that is the phone you lost, this option won’t work) and your Apple ID. Here’s the process:
- On an Apple device, go to Settings and try signing into your account. Click/tap Forgot password?
- Enter your trusted email or phone number or email and confirm it.
- Send the verification code and enter it on the device on which you’re trying to sign in. Enter your Recovery Key. Once you do this, you’ll be able to reset your password.
Recover access using the Recovery Contact
If you are locked out of your account, you can initiate the recovery process from an Apple device. When attempting to sign in, select “Forgot Password or Apple ID?” The system will ask you for your phone number and email and may ask you to confirm other details.
When you can’t verify your identity through other means, the system will present account recovery as an option. You will see a choice to use your Recovery Contact.
Your designated Recovery Contact will have to follow these steps:
- Go to Settings > [Their Name] > Sign-in & Security > Recovery Contacts.
- They will see your name as the person who has requested help. They should tap on your name and select Get Recovery Code. A six-digit code will appear on their screen.
Once they have this code, they can share it with you to enter on your device and regain access to your account.
When you may lose access to encrypted data
It’s possible to be permanently locked out of your account and lose your encrypted data. This would happen if all of the following conditions are met:
- You forgot your Apple ID password.
- You lose access to all of your trusted devices.
- You lose your 28-character Recovery Key.
- You are unable to get a code from your Account Recovery Contact.
- Additionally, if you reset your end-to-end encrypted data, it will remove access to certain information.
In this scenario, there is no way to recover the encryption keys, and resetting your account would result in the permanent loss of your iCloud Backup, photos, notes, and other data protected by the feature.
How to turn off end-to-end encryption (and when you shouldn’t)
You can turn off Advanced Data Protection at any time, but you should understand the security implications before doing so.
Risks of disabling encryption
Turning off Advanced Data Protection reverts your account to the standard level of security. When you do this, your device securely uploads the necessary encryption keys back to Apple’s servers. While your data remains encrypted, Apple once again holds the keys.
This reintroduces the risk that your data could be exposed in a cloud data breach or accessed via a government request, risks that Advanced Data Protection was designed to prevent.
How to turn it off
- Open Settings > [Your Name] > iCloud. Tap Advanced Data Protection and Turn Off Advanced Data Protection.
- Apple will warn you about the risks before you confirm.
The device uploads a fresh copy of the decryption key to Apple. Wait for the progress bar to finish. You can switch the feature back on later without losing data, although you’ll have to re-enter your recovery details.
FAQ: Common questions about E2EE on iPhone
Does iPhone encryption work without iCloud?
Yes. The physical storage on your iPhone is encrypted by default, a feature Apple calls Data Protection. This encryption is active as long as you have a passcode, Face ID, or Touch ID set up on your device. At the bottom of the Settings > Face ID & Passcode screen, you’ll see the text “Data protection is enabled.” This on-device encryption is separate from iCloud encryption and protects the data on your phone if it’s lost or stolen.
Is my WhatsApp or iMessage encrypted?
Yes, your personal WhatsApp messages, calls, photos, and files are end-to-end encrypted by default using the industry-standard Signal Protocol. This means WhatsApp and its parent company, Meta, can’t read your messages.
But there is a critical detail when it comes to backups. By default, your WhatsApp chat history backed up to iCloud under Standard Protection is not end-to-end encrypted. To secure your backups, you must manually enable encrypted backups inside the WhatsApp app's settings (Settings > Chats > Chat Backup > End-to-End Encrypted Backup). After you do this, the encrypted chat history will be excluded from iCloud device backups.
Can Apple access my encrypted data?
No. Apple engineers do not keep your keys once Advanced Data Protection is on. The company still holds basic account details like billing info, but that data sits outside the encrypted vault.
Are iPhones end-to-end encrypted?
It’s helpful to think of your iPhone’s security in three distinct parts: the data stored physically on your device (always encrypted), the data you sync with iCloud (some of which is end-to-end encrypted by default, with Advanced Data Protection extending this to most categories), and your internet connection itself.
While your device and iCloud data can be secured, your internet traffic can still expose information about your browsing habits and location. Use ExpressVPN to encrypt this connection, protecting your activity from being monitored on Wi-Fi networks and by your internet provider.
Do iPhone messages have end-to-end encryption?
Yes. iMessage uses a protocol inspired by Signal Protocol, which is the backbone of Signal, a free, open-source messaging app known for its strong privacy and security features, especially its use of end-to-end encryption. That stays in place whether or not you switch on Advanced Data Protection. What changes is the status of any chat history stored in iCloud: If you opt to back up your messages in iCloud, they won’t be end-to-end encrypted under Standard Protection (you’ll have to enable Advanced Data Protection for that).
How do I know if end-to-end encryption on my iPhone is enabled?
You can check if end-to-end encryption is enabled on your iPhone by looking at individual services and settings, as there isn’t a single master switch. The easiest way to check for iMessage encryption is by looking at the color of your message bubbles.
Blue bubbles indicate that the conversation is with another Apple device user via iMessage. These messages are end-to-end encrypted. Green bubbles signify that you're communicating with a non-Apple user (e.g., an Android phone). These are standard SMS/MMS messages and are not encrypted.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
Get ExpressVPN