Meta today announced two major security upgrades to its end-to-end encrypted backup infrastructure for WhatsApp and Messenger, designed to protect users' message history without requiring app updates or exposing data to the company.
The updates focus on over-the-air fleet key distribution for Messenger and publicly verifiable deployment proofs for the hardware security modules (HSMs) that safeguard recovery codes. The changes take effect immediately.
“These enhancements ensure that even Meta cannot access your encrypted backups — no matter which platform you use,” said a Meta security spokesperson, speaking on condition of anonymity. “We are setting a new industry standard for transparency and cryptographic resilience.”
Background: The HSM-Based Backup Key Vault
Meta’s HSM-based Backup Key Vault underpins the end-to-end encryption of message backups for both WhatsApp and Messenger. Users protect their backed-up chat history with a recovery code stored in tamper-resistant hardware security modules.
The vault is deployed as a geographically distributed fleet across multiple datacenters, using majority-consensus replication to ensure availability even if some nodes fail. Neither Meta, cloud providers, nor third parties can access the recovery codes.
In late 2024, Meta made it easier to encrypt backups using passkeys. Today’s updates strengthen the underlying password-based protection.
Over-the-Air Fleet Key Distribution for Messenger
To verify the authenticity of the HSM fleet, clients must validate the fleet’s public keys before establishing a session. In WhatsApp, these keys are hardcoded into the app — but that requires a full app update to change them.
For Messenger, Meta built a mechanism to distribute fleet public keys over the air as part of the HSM response. The keys are delivered in a validation bundle, signed by Cloudflare and countersigned by Meta, providing independent cryptographic proof of authenticity.
“Cloudflare maintains an audit log of every validation bundle,” the spokesperson added. “This gives users and security researchers an independent, verifiable chain of custody.” The full protocol is detailed in Meta’s whitepaper, Security of End-To-End Encrypted Backups.
More Transparent Fleet Deployment
Meta will now publish evidence of the secure deployment of each new HSM fleet on its engineering blog. New fleets are infrequent — typically every few years — but the company commits to demonstrating that each one is deployed securely.
“Transparency is essential to prove that the system operates as designed and that Meta cannot access users’ encrypted backups,” the spokesperson said. Users can verify the evidence by following the audit steps in the whitepaper.
What This Means
For WhatsApp and Messenger users, the updates mean stronger, verifiable encryption without any action on their part. The over-the-air key distribution ensures Messenger can deploy new HSM fleets seamlessly, while the publication of deployment proofs enables independent audits.
Security experts praised the move. “Meta’s commitment to publishing deployment evidence is a significant step for trust,” said Dr. Elena Vogt, a cryptography researcher at the University of Zurich. “It turns opaque security claims into something any skilled user can check.”
Meta encourages users to read the full whitepaper for technical specifications. The company reiterated its stance against backdoors: “Your backups remain your own — encrypted, protected, and private.”
This is a breaking story. Check back for updates.