Does iCloud Backup of my iPhone include the Vault encryption key from local iOS keychain + encrypted Vault?

I noticed the Bitwarden app on my iPhone is included in my iCloud Backup, which is taking up 9.9MB. That makes me think it includes the encrypted Vault (i.e., it’s not just the user preference settings that are backed up). I understand that “encryption key is persisted in the iOS keychain” and from what I can tell the iCloud Backup of my phone includes that encryption key – I took a look at the Bitwarden mobile repo on Github, and it looks like Bitwarden for iOS uses Xamarin’s SecureStorage API with the default SecAccessible property, which is AfterFirstLock (i.e., it’s included in iCloud Backup and it can be restored even to a different device, unlike, e.g., AfterFirstUnlockThisDeviceOnly).

I read that iCloud Backups are not end-to-end encrypted (i.e., Apple can access the content). E.g., here and here. If Apple can access my iCloud Backup of my iPhone, does that also mean Apple can technically access all my passwords?

1 Like

Hi @bwuser12 - thanks for raising the concern! I confirmed with the engineering team that all is well.

Apple keychains are actually E2EE (End to End Encrypted) - so any data that persists is unavailable to Apple (or anyone else with the iCloud data) :partying_face: