Meta continues to advance the security of end-to-end encrypted backups for its messaging platforms, WhatsApp and Messenger. At the core is the HSM-based Backup Key Vault, a system that safeguards recovery codes using tamper-resistant hardware security modules (HSMs). Recent improvements include over-the-air fleet key distribution for Messenger and a new commitment to publish evidence of secure fleet deployments, further strengthening user trust. Below, we answer key questions about these developments.

What is the HSM-based Backup Key Vault and how does it protect encrypted backups?

The HSM-based Backup Key Vault is Meta's foundational system for securing end-to-end encrypted backups in WhatsApp and Messenger. It allows users to protect their backed-up message history with a recovery code. This recovery code is stored exclusively in tamper-resistant hardware security modules (HSMs), ensuring that Meta, cloud storage providers, or any third party cannot access it. The vault is deployed as a geographically distributed fleet across multiple datacenters, using majority-consensus replication to maintain resilience and availability.

How did Meta make it easier to end-to-end encrypt backups using passkeys?

Late last year, Meta introduced support for passkeys as a simpler method to end-to-end encrypt backups. Previously, users had to manage complex recovery codes or passwords. With passkeys—typically biometric authentication or device-based credentials—encrypting backups becomes more user-friendly while maintaining strong security. This update lowered the barrier for users to enable encryption without compromising on protection, as passkeys rely on secure hardware-backed authentication on the user's device.

What are the two recent updates to strengthen password-based encrypted backups?

Meta has announced two key updates to enhance the security of password-based end-to-end encrypted backups. First, they implemented over-the-air (OTA) fleet key distribution for Messenger, enabling new HSM fleets to be deployed without requiring an app update. Second, Meta committed to publishing evidence of secure deployments for each new HSM fleet on their blog, increasing transparency. These updates ensure that the underlying infrastructure remains robust and verifiable by users and auditors.

How does over-the-air fleet key distribution work for Messenger?

To support Messenger, Meta built a mechanism to distribute HSM fleet public keys over the air as part of the HSM response, eliminating the need for app updates. The fleet keys are delivered in a validation bundle signed by Cloudflare and counter-signed by Meta, providing independent cryptographic proof of authenticity. Cloudflare maintains an audit log of every bundle, ensuring accountability. This approach allows Meta to deploy new HSM fleets dynamically while clients can verify the fleet’s public keys before establishing a secure session, similar to how WhatsApp hardcodes keys but with greater flexibility.

How does Meta ensure transparency in HSM fleet deployment?

Meta is committed to demonstrating that its HSM fleet operates as designed and that the company cannot access users’ encrypted backups. To achieve transparency, Meta now publishes evidence of the secure deployment of each new HSM fleet on its engineering blog. These deployments are infrequent—typically every few years—but each comes with documentation and logs that users can verify independently. By following the audit steps outlined in the whitepaper, users can confirm that no unauthorized changes or backdoors exist in the fleet.

How can users verify the security of new HSM fleets?

Users can verify the security of new HSM fleets by following the audit process detailed in Meta’s whitepaper, “Security of End-To-End Encrypted Backups.” The verification steps involve checking the published evidence of secure deployment, including signed validation bundles from Cloudflare and Meta. Additionally, users can examine Cloudflare’s audit logs for each validation bundle. This process ensures that the fleet’s public keys are genuine and that the HSMs operate in a tamper-resistant environment, providing independent assurance that Meta cannot bypass encryption.