Data is encrypted on your iPhone or iPad, and on your Mac, assuming you’ve enabled File Vault. iCloud data is encrypted when it is sent to and from Apple’s servers, and at rest on Apple’s servers, but the company still has encryption keys, and can access some of your data when requested by law enforcement.
End-to-end encryption, however, removes any possibility of a third party accessing your data: you have the only keys to the data on your devices. Apple’s Advanced Data Protection enables this level of security, but there are some limitations to the way it works.
In this article, I’ll explain what Advanced Data Protection is, how to enable it, and whether you should turn this feature on.
What is Advanced Data Protection?
Apple says that Advanced Data Protection gives users the “highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.”
Currently, not all iCloud services are protected by end-to-end encryption. This Apple support document lists the different data categories and the type of encryption they use. "In transit & on server" means that the data is potentially accessible to Apple employees or law enforcement. And, as Apple says, some classes of data cannot be end-to-end encrypted: "The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.”
What are the requirements to use Advanced Data Protection?
To enable Advanced Data Protection, you must have:
- Two-factor authentication enabled for your Apple ID
- Passcodes or passwords set on your devices (yes, it’s possible to set up iPhones and Macs without passcodes or passwonds)
- At least one account recovery contact or recovery key.
In addition, every device you log into with your Apple ID must be using recent versions of Apple’s operating systems: iOS 16.0 or later, iPadOS 16.2 or later, and macOS 13.1 or later. You access some data from your iCloud account with other devices, so any Apple TV, Apple Watch, or HomePod must also be running recent software, and, if you use iCloud for Windows, it must be version 14.1 or later.
This means that if you’re running an older device that can’t be upgraded, you either cannot use Advanced Data Protection, or you must create a new Apple ID to use on that device.
How to enable Advanced Data Protection
As long as you’ve met the above requirements, enabling Advanced Data Protection simply requires toggling one setting. You can only do this on an iPhone, iPad, or Mac.
Go to Settings, tap or click your name, then tap or click iCloud. Scroll down to Advanced Data Protection and click it. You’ll see a screen like this:
Your device will then tell you to review your recovery methods, and Advanced Data Protection will be enabled.
Accessing icloud.com with Advanced Data Protection enabled
When you enable Advanced Data Protection, access to your data on the iCloud.com website is turned off to ensure that data is only accessible on your trusted devices. If you need to access this data on the web, you can temporarily grant access via one of your trusted devices.
To do this, turn on Access iCloud Data on the Web; the setting is just below the Advanced Data Protection setting. A request is sent to your trusted devices, and, if you approve this, you can access your data on icloud.com for one hour. Each time you access a new category of data — such as photos, notes, or files — you’ll need to approve that access from your trusted device.
For more on accessing data on the web when Advanced Data Protection is enabled, see this Apple support document.
How to turn off Advanced Data Protection
Go to Settings > your name > iCloud, then scroll down and turn off Advanced Data Protection.
Should you use Advanced Data Protection?
Advanced Data Protection offers the highest level of protection for your data, but with some limitations. The risk of no longer being able to access data, if you forget your Apple ID password, is real, but you have to set up a recovery contact and a recovery key in case that happens. If you often use icloud.com to access data, or to work with Apple’s iWork apps – Pages, Numbers, and Keynote – then the requirement to regularly grant web access may be a hindrance.
For most people, Advanced Data Protection is overkill, and adds constraints to accessing your data, but you may want this protection so all your data is end-to-end encrypted.