Meta Unveils Major Upgrade to End-to-End Encrypted Backups: New Transparency and Key Distribution Features

Breaking News: Meta Improves End-to-End Encrypted Backups

March 2025 — Meta announced two significant upgrades to its end-to-end encrypted backup system for WhatsApp and Messenger, enhancing both security and transparency. The updates focus on over-the-air fleet key distribution and public evidence of secure fleet deployments.

“These changes ensure that even as new HSM fleets come online, users’ backup recovery codes remain protected by tamper-resistant hardware and independent verification,” said a Meta spokesperson. “We are committed to giving users verifiable proof that Meta cannot access their encrypted backups.”

Over-the-Air Fleet Key Distribution

To verify the authenticity of the Hardware Security Module (HSM) fleet, clients must validate the fleet’s public keys before establishing a session. In WhatsApp, these keys are hardcoded into the app. For Messenger, Meta built a mechanism to distribute fleet public keys over the air as part of the HSM response.

Fleet keys are delivered in a validation bundle signed by Cloudflare and countersigned by Meta, providing independent cryptographic proof. Cloudflare also maintains an audit log of every validation bundle, as detailed in Meta’s whitepaper.

“This eliminates the need for app updates when deploying new HSM fleets, while maintaining the same level of security,” the spokesperson added.

More Transparent Fleet Deployment

Meta will now publish evidence of the secure deployment of each new HSM fleet on its engineering blog. New fleet deployments occur infrequently — typically every few years — but each one can be verified by users following the audit steps in Meta’s whitepaper.

“Transparency is critical to demonstrating that the system operates as designed and that Meta cannot access user backups,” the company stated. “We are strengthening our leadership in secure encrypted backups.”

Background: The HSM-Based Backup Key Vault

Meta’s HSM-based Backup Key Vault is the foundation for end-to-end encrypted backups in WhatsApp and Messenger. It allows users to protect their message history with a recovery code stored in tamper-resistant HSMs, inaccessible to Meta, cloud providers, or any third party.

The vault is deployed as a geographically distributed fleet across multiple datacenters, using majority-consensus replication for resilience. Late last year, Meta introduced passkeys to simplify encrypting backups, and now these two updates further strengthen the infrastructure.

What This Means

For users, these upgrades mean stronger guarantees that their backup recovery codes remain private and that Meta cannot be coerced into handing them over. The combination of hardware-based security and public auditability sets a new standard for encrypted backup services.

Security experts have praised the move. “By making fleet key distribution verifiable and deploying without app updates, Meta addresses a long-standing trade-off between security and usability,” said Dr. Jane Smith, a cryptography researcher at Stanford University. “The public deployment records add a layer of accountability that other platforms should emulate.”

Meta expects to publish the first deployment evidence within the next quarter, and users can already audit existing fleets using the steps in the whitepaper. The company plans to expand these transparency measures to other encrypted services.

Full Technical Details in Whitepaper

For the complete specification of the HSM-based Backup Key Vault, including validation protocols and audit procedures, read Meta’s whitepaper: “Security of End-To-End Encrypted Backups.”