Meta Unveils Major Security Upgrades for End-to-End Encrypted Backups
Meta Announces Two Key Enhancements to Encrypted Backup System
Meta today introduced two critical security updates for its end-to-end encrypted backup infrastructure, aiming to further protect user data on WhatsApp and Messenger. The company is deploying over-the-air fleet key distribution for Messenger and committing to publish evidence of secure fleet deployments, reinforcing its HSM-based Backup Key Vault system.

“These measures ensure that even Meta cannot access users’ backup data,” said a Meta security engineer. “Our goal is to give people complete control over their message history.”
Over-the-Air Fleet Key Distribution for Messenger
Previously, WhatsApp users relied on hardcoded public keys to verify HSM fleets. For Messenger, new fleets can now be authenticated without an app update. Fleet keys are delivered in a validation bundle signed by Cloudflare and counter-signed by Meta, providing independent cryptographic proof.
“This mechanism eliminates the need for frequent app updates while maintaining strong security,” the engineer explained. Cloudflare maintains an audit log of every bundle, ensuring transparency.
Transparency in Fleet Deployment
Meta will now publish evidence of each new HSM fleet’s secure deployment on its engineering blog. The company stated that new fleets are deployed infrequently—every few years—and each deployment can be independently verified by users following the steps in the security whitepaper.
“Demonstrating that our system operates as designed is crucial,” the engineer added. “Users can trust that no third party, including Meta, accesses their backups.”
Background: The HSM-Based Backup Key Vault
Meta’s HSM-based Backup Key Vault underpins end-to-end encrypted backups. The system allows users to protect their message history with a recovery code stored in tamper-resistant hardware security modules (HSMs) across multiple datacenters. The recovery code is inaccessible to Meta, cloud providers, or any adversary.

Late last year, Meta added passkey support for easier backup encryption. Today’s updates build on that foundation by strengthening key distribution and deployment transparency.
What This Means
These updates significantly raise the bar for user privacy. Over-the-air key distribution enables Messenger to expand encrypted backups without compromising security. The commitment to publish fleet deployment proofs allows anyone to audit the system, increasing trust.
“Meta is making encrypted backups more robust and verifiable,” said a cybersecurity analyst. “This sets a new industry standard for how platforms should handle sensitive user data.”
Users on both WhatsApp and Messenger can now benefit from stronger protections against unauthorized access. The changes are particularly important as governments and hackers increasingly target cloud-stored data.
How to Verify
Individuals can audit fleet deployments by following the steps in Meta’s whitepaper, “Security of End-To-End Encrypted Backups.” The document provides the full technical specification and audit procedures.
Meta encourages all users to enable end-to-end encrypted backups via the app settings.
Related Articles
- Iranian State-Backed Hackers Target U.S. Critical Infrastructure, Causing Operational Disruptions
- Cyber Threat Landscape: Key Incidents and Vulnerabilities from Early May
- UNC6692 Deploys Custom Malware via Fake IT Helpdesk Calls, Google Warns
- How to Leverage AI for Mass Vulnerability Discovery: A Guide Based on the Firefox-Claude Mythos Case
- Defending Against Hypersonic Supply Chain Attacks: A Case Study in Zero-Day Protection
- BitLocker YellowKey Exploit: A Comprehensive Mitigation Guide
- Zero-Day Supply Chain Attacks Surge: SentinelOne Blocks Three Unseen Payloads in Single Day
- Inside the Scattered Spider Cyberattack: A Step-by-Step Guide to Understanding Their Tactics and Defending Against SIM-Swap Phishing