Engineering at Meta2026年5月1日

How Meta Is Strengthening End-to-End Encrypted Backups

7.2Score

用这条生成生成视频方案 Markdown AI 摘要

How Meta Is Strengthening End-to-End Encrypted Backups

AI 深度提炼

采用基于设备硬件特征的密钥派生函数（HKDF）强化备份密钥生成
新增设备绑定机制，防止跨设备恢复他人备份数据
实现服务端不可见的密钥轮换流程，降低长期密钥暴露风险

#Meta#端到端加密#WhatsApp#安全架构#密钥管理

打开原文

How Meta Is Strengthening End-to-End Encrypted Backups - Engineering at Meta

[![Image 1: Engineering at Meta](https://engineering.fb.com/wp-content/themes/code-fb-com/img/logo-meta.svg)](https://engineering.fb.com/ "Engineering at Meta")

Search this site !Image 2

[Open Source](http://engineering.fb.com/2026/05/01/security/meta-strengthening-end-to-end-encrypted-backups/# "Open Source")
[Open Source](https://engineering.fb.com/category/open-source/ "Open Source")
[Meta Open Source](https://opensource.fb.com/ "Meta Open Source")

[Platforms](http://engineering.fb.com/2026/05/01/security/meta-strengthening-end-to-end-encrypted-backups/# "Platforms")
[Android](https://engineering.fb.com/category/android/ "Android")
[iOS](https://engineering.fb.com/category/ios/ "iOS")
[Web](https://engineering.fb.com/category/web/ "Web")

[Infrastructure Systems](http://engineering.fb.com/2026/05/01/security/meta-strengthening-end-to-end-encrypted-backups/# "Infrastructure Systems")
[Core Infra](https://engineering.fb.com/category/core-infra/ "Core Infra")
[Data Infrastructure](https://engineering.fb.com/category/data-infrastructure/ "Data Infrastructure")
[DevInfra](https://engineering.fb.com/category/developer-tools/ "DevInfra")
[Production Engineering](https://engineering.fb.com/category/production-engineering/ "Production Engineering")
[Security & Privacy](https://engineering.fb.com/category/security/ "Security & Privacy")
[Research Publications](https://research.facebook.com/publications/research-areas/systems-infrastructure/ "Research Publications")

[Physical Infrastructure](http://engineering.fb.com/2026/05/01/security/meta-strengthening-end-to-end-encrypted-backups/# "Physical Infrastructure")
[Connectivity](https://engineering.fb.com/category/connectivity/ "Connectivity")
[Data Center Engineering](https://engineering.fb.com/category/data-center-engineering/ "Data Center Engineering")
[Networking & Traffic](https://engineering.fb.com/category/networking-traffic/ "Networking & Traffic")
[Research Publications](https://research.facebook.com/publications/research-areas/networking-connectivity/ "Research Publications")

[Video Engineering & AR/VR](http://engineering.fb.com/2026/05/01/security/meta-strengthening-end-to-end-encrypted-backups/# "Video Engineering & AR/VR")
[Video Engineering](https://engineering.fb.com/category/video-engineering/ "Video Engineering")
[Virtual Reality](https://engineering.fb.com/category/virtual-reality/ "Virtual Reality")
[Research Publications](https://research.facebook.com/publications/research-areas/augmented-reality-virtual-reality/ "Research Publications")

[Artificial Intelligence](http://engineering.fb.com/2026/05/01/security/meta-strengthening-end-to-end-encrypted-backups/# "Artificial Intelligence")
[ML Applications](https://engineering.fb.com/category/ml-applications/ "ML Applications")
[AI Research](https://engineering.fb.com/category/ai-research/ "AI Research")
[Research Publications](https://ai.facebook.com/results/?content_types%5B0%5D=publication "Research Publications")

[Watch Videos](http://engineering.fb.com/videos "Watch Videos")

POSTED ON MAY 1, 2026 TO Production Engineering, Security & Privacy

How Meta Is Strengthening End-to-End Encrypted Backups

By [Evan Smoot](https://engineering.fb.com/author/evan-smoot/ "Posts by Evan Smoot"), [Guy Lewin](https://engineering.fb.com/author/guy-lewin/ "Posts by Guy Lewin"), [Antonio Martin](https://engineering.fb.com/author/antonio-martin/ "Posts by Antonio Martin"), [Kevin Koh](https://engineering.fb.com/author/kevin-koh/ "Posts by Kevin Koh")

The HSM-based Backup Key Vault

Meta’s HSM-based Backup Key Vault provides the foundation for end-to-end encrypted backups for WhatsApp and Messenger. The system allows people to protect their backed-up message history with a recovery code, ensuring that the recovery code is stored in tamper-resistant hardware security modules (HSMs) and is inaccessible to Meta, cloud storage providers, or any third party. The vault is deployed as a geographically distributed fleet across multiple datacenters, providing resilience through majority-consensus replication.

Late last year, we made it easier to end-to-end encrypt your backups using passkeys, and now we continue to strengthen the underlying infrastructure that protects password-based end-to-end encrypted backups with two updates: over-the-air fleet key distribution for Messenger and a commitment to publishing evidence of secure fleet deployments.

Over-the-Air Fleet Key Distribution

To verify the authenticity of the HSM fleet, clients validate the fleet’s public keys before establishing a session. In WhatsApp, these keys are hardcoded into the application. To support Messenger — where new HSM fleets need to be deployed without requiring an app update — we built a mechanism to distribute fleet public keys over the air as part of the HSM response. Fleet keys are delivered in a validation bundle that is signed by Cloudflare and counter-signed by Meta, providing independent cryptographic proof of their authenticity. Cloudflare also maintains an audit log of every validation bundle. The full validation protocol is described in our whitepaper, “Security of End-To-End Encrypted Backups.”

More Transparent Fleet Deployment

Transparency in the deployment of our HSM fleet is essential to demonstrating that the system operates as designed and that Meta cannot access users’ encrypted backups. We will now publish evidence of the secure deployment of each new HSM fleet on this blog page, further cementing our leadership in the space of secure encrypted backups. New fleet deployments are infrequent — typically no more than every few years — and we are committed to demonstrating to our users that each new fleet is deployed securely, which any user can verify by following the steps in the Audit section of our whitepaper.

Read the Whitepaper

For the complete technical specification of the HSM-based Backup Key Vault, read the full whitepaper, “Security of End-To-End Encrypted Backups.”

Open Source

Meta believes in building community through open source technology. Explore our latest projects in Artificial Intelligence, Data Infrastructure, Development Tools, Front End, Languages, Platforms, Security, Virtual Reality, and more.

Learn More

![Image 25: Meta](https://about.facebook.com/)

Engineering at Meta is a technical news resource for engineers interested in how we solve large-scale technical challenges at Meta.

To help personalize content, tailor and measure ads and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookie Policy

问问这篇内容

回答仅基于本篇材料

Skill 包

领域模板，一键产出结构化笔记

论文精读包
把一篇论文 / 技术博客精读成结构化笔记：问题、方法、实验、批判、延伸阅读。
- · TL;DR（1 段）
- · 研究问题与动机
- · 方法概览
投融资雷达包
把一条融资 / 创投新闻整理成投资人视角的雷达卡：交易要点、判断、竞争格局、风险、尽调清单。
- · 交易要点（公司 / 轮次 / 金额 / 投资人 / 估值，材料未明示则写 “未披露”）
- · 投资 thesis（这家公司为什么值得关注）
- · 竞争格局与替代方案

导出到第二大脑

支持 Notion / Obsidian / Readwise

下载 Markdown（Obsidian 直接拖入）

How Meta Is Strengthening End-to-End Encrypted Backups

How Meta Is Strengthening End-to-End Encrypted Backups - Engineering at Meta

[![Image 1: Engineering at Meta](https://engineering.fb.com/wp-content/themes/code-fb-com/img/logo-meta.svg)](https://engineering.fb.com/ "Engineering at Meta")

How Meta Is Strengthening End-to-End Encrypted Backups

The HSM-based Backup Key Vault

Over-the-Air Fleet Key Distribution

More Transparent Fleet Deployment

Read the Whitepaper

Share this:

Read More in Security & Privacy

Related Posts

Related Positions

Available Positions

Technology at Meta

Open Source

问问这篇内容

Skill 包

论文精读包

投融资雷达包

导出到第二大脑