Encrypted WhatsApp Backups in 5m

*it might be more than 5 minutes, but is worth it anyways.

Why should I care?

I know you’re first reaction to this title. “Isn’t WhatsApp already E2E-encrypted and stuff?”. It is. That’s nice and all. But WhatsApp messages are also stored in backup files. Of these there are two types, local encrypted backups and cloud backups.

As long as your chats are stored in the default WhatsApp backup files, they are stored nice and safe. Since they are encrypted, only whoever has the key to these files may access your chat messages.

But here is the thing: Your chat messages are not only backed up in these encrypted files. WhatsApp also asks you to upload all messages a cloud service. On Apple that is iCloud. On Android it is Google Drive. And these backups are plain text, even the iCloud backups. That means any institution with access to the data stored at Google or Apple may easily read all your messages. This of course also includes Google and Apple themselves.

Side note: This tutorial does unfortunately not work on iOS. Sorry.

What can I do about that?

On Android, WhatsApp automatically and unconditionally creates 7 days worth of local backup on your phone. These files are encrypted per default. This even happens when you have turned off the “Backup to Google Drive” option. This tutorial is a short guide on how to manually set up your phone to automatically store these local backups in a cloud service. By doing so, the cloud backup only contains encrypted files and access to your personal data becomes more difficult.

Setting up encrypted Backups

In my case, I use Nextcloud on my Raspberry Pi to create a copy of the local backups on my Android phone (8.0.0). This should however work with any cloud service that offers something like the “auto upload” function provided by Nextcloud. I am glad for any comments on other cloud services.

  1. Open “WhatsApp” on your phone and navigate to “Settings” -> “Chats” -> “Chat Backup” to disable Google Drive Backups (set the frequency to “Never”)
  2. Find your local backup folder. This will be either “Internal Storage/WhatsApp/Databases” or “sdcard/WhatsApp/Databases”. Check that this folder contains files named msgstore-YYYY-MM-DD.db.crypt12
  3. Install the Nextcloud App on your phone and set it up for your host
  4. Inside the Nextcloud App, navigate to “Settings” -> “Auto upload” -> “Set up a custom folder”. The source folder on your phone will be exactly the folder you found in step 2.
  5. You’re done!

Congratulations, you now have automatic, truly encrypted backups of your chats. Please make sure that the chat backup files you found in step 2. are actually being uploaded (this might take some time).

Restoring encrypted Backups

Once in a while, phones die tragic deaths. That’s why we do backups. In case your phone has seen such a fate proceed as below BEFORE installing/opening WhatsApp the first time on your newly setup phone.

  1. Create the folder “Internal Storage/WhatsApp/Databases” or “sdcard/WhatsApp/Databases” (depending on where the files where stored before)
  2. Place the msgstore-YYYY-MM-DD.db.crypt12 inside this folder
  3. Start WhatsApp. Make sure that it tells you that it has found local backups! If it doesn’t tell you (and wants to check Google Drive for a backup), abort and repeat step 1. with the other folder

Is my data safe now?

At least more than it was before. Technically, your backup files are encrypted, so a simple data leak from your used cloud provider should not directly leak all your messages. It will leak encrpyted files that are useless without an decryption key. This is a clear advantage to the completely unencrypted backup on Google Drive.

However, it is important to note that restoring chat messages according to this tutorial works. And at no point we have actually copied any keys, we copied only encrypted files (which need those keys for decryption). As these keys need to originate somewhere when restoring the backup, the most intuitive interpretation is that WhatsApp stores these keys on its own servers and supplies us with them when trying to restore the backup. In other words, anyone who has access to those servers of WhatsApp may also obtain access to our messages if they get their hands on our chat backups.

Still, a third party would need to obtain the keys for our messages from WhatsApp before being able to read anything, which definitely adds an additional layer of security to our chats. If you are really concerned with privacy though, you should consider switching to a different messenger.

A note on Nextcloud encryption

If you upload data to a Nextcloud instance, all that data will lie around on the server unencrypted again. Nextcloud more or less only provides a nice web interface for a part of the servers file system.

If you want to add an additional layer of security to your uploaded data, you may therefore choose to either encrypt the whole file system or enable the Nextcloud native file encryption.

A note on storage usage

As you may have noticed during the process or after a few days, WhatsApp timestamps its backups. Locally, backups that are older than 7 days are automatically deleted by WhatsApp. This might however not be the case for your backups (depending on whether you synchronize or back up the files). So, after a while, they may clog up all your free storage.

My personal workaround to this is to delete excess backups. If more than 10 backups have accumulated in my backup folder, the oldest ones are removed. You should be slightly careful when setting this up with a custom script. If written badly, the script might simply delete the oldest ten files, and if you have only 10 files left, you are left with no backup at all.

This is rather simple to achieve with Nextcloud on a personal Raspberry Pi. I wrote a small bash script and created a cronjob for it that would run everyday. The script is shown below (make sure to update the path for your installation).

#! /bin/bash
if [ -d /path/to/nextcloud/backup/Whatsapp/Databases ]
  cd /path/to/nextcloud/backup/Whatsapp/Databases
  ls -tp | grep msgstore- | tail -n +10 | xargs -I {} rm -- {}

A note on the Signal messenger

The Signal messenger does also create local backups. Very local. In order to also store these on a cloud service, the same steps may be taken as above. The path to Signal backup files is “Internal Storage/Signal/Backups” and the files are named signal-YYYY-MM-DD-HH-MM.backup. This should be taken account when modifying the above bash script to delete excess Signal backups (replace “msgstore-” by “signal-“).

Also note that Signal informs you to safely store a key upon enabling local backups. Since Signal does not share this key with anyone, and since it is needed to decrypt your backups, you should really make sure that this key is stored safely. I for myself noted it down on a piece of paper and put it next to important documents.

2 thoughts on “Encrypted WhatsApp Backups in 5m

  1. Jan Fecht

    Another alternative to nextcloud that I have been using recently is using borgbackup with termux + termux tasker + tasker to create encrypted backups of the internal storage on a regular basis.
    With borgbackup I am creating a backup on my raspberry pi via SSH (you need to be able to reach your pi for this though. One solution is to use Intents to start and stop a VPN profile using the https://f-droid.org/de/packages/de.blinkt.openvpn/ app). The pi has cloud storage mounted at the location of the backup. With tasker I can run the borgbackup script on a regular basis. The cool thing about borgbackup is that it supports incremental backups and you can delete old backups in a smart fashion (for example so that you only have one backup from a year ago, 4 backups in the last 6 months, 4 backups of the last month…).


Leave a Reply

Your email address will not be published. Required fields are marked *