Now that Apple is asking us to entrust our address books, calendars, files, photos, music and more to iCloud, many Mac and iOS users might be asking the question: “Is it safe?” Chris Foresman over at Ars Technica looked into the security of iCloud and concluded that “The simple answer is that your data is at least as safe as it is when stored on any remote server, if not more so.”
All of your data is transmitted to and from Apple’s servers in an encrypted format, using secure sockets layer (SSL) via WebDav, IMAP, and HTTP. And all of the data is encrypted on disk on Apple’s servers — except for email and notes. Email isn’t encrypted, according to Foresman, for performance reasons that include features like searching messages on the server. That’s something that Mail.app and Apple’s servers do very well. Notes are currently synced on Mac OS X via Mail, but with OS X 10.8 Mountain Lion adding a separate Notes app, encryption may finally come to your private Notes.
Apple didn’t tell Ars exactly what methods they use to encrypt data on disk, but believes that they’re using “some type of file-system encryption that is decrypted on the fly when requested from an authenticated device or computer.” OS X may be using the PBKDF2 (Password-Based Key Derivation Function) standard recommended by the National Institute of Standards and Technology, and if this is also being used to generate the secure tokens for accessing iCloud, then your data is very safe.
How safe? Foresman notes that “Assuming Apple is generating keys that are more than 64 bits in length, the chances of someone brute-forcing the key and decrypting the data within a lifetime are slim to none.”
While Apple’s email service is currently not as secure as the rest of the iCloud services, Foresman does mention that you can use standard S/MIME encryption like PGP to insure secure email service.