iCloud E2E Sync, Demystified: What Apple Can and Cannot Read About Your Vault

CloudKit Private Database, Advanced Data Protection, envelope encryption — the actual line between "Apple stores your data" and "Apple can read your data". Concrete answers, no marketing fog.

Published: 2026-05-05 · 11 min read

The Question Nobody Wants to Answer Directly

If your password manager syncs through iCloud, here is the question every privacy-conscious user asks first:

"Can Apple read my passwords?"

The honest answer is conditional, and depends on three things:

  1. What CloudKit storage tier the app uses (Public, Private, Shared)
  2. Whether the app encrypts before upload or relies on Apple's encryption
  3. Whether the user has Advanced Data Protection (ADP) enabled on their Apple ID

This article walks through what Apple actually sees in each case, what ByteGuard does specifically, and where the "Apple cannot read" boundary genuinely sits.

CloudKit Storage Tiers

Apple's CloudKit framework offers three storage scopes:

TierWho can readEncrypted at rest by AppleEnd-to-end encrypted
Public DatabaseAll users of the appYes (TLS + AES at rest)No
Private DatabaseOnly the iCloud userYesDefault: No. With ADP: Yes for most fields. With per-field encryption: Yes.
Shared DatabaseOwner + invited usersYesSame as Private + sharing keys

"Encrypted at rest by Apple" means: Apple's storage servers encrypt the bytes on disk. But Apple holds the encryption keys. Apple's internal staff with proper authorization can decrypt the data. So can a court order, NSL, or any legal process compelling Apple to disclose.

"End-to-end encrypted" means: the data is encrypted with a key only the user holds. Apple stores ciphertext. Apple cannot decrypt — not for staff, not for courts.

Tech Note

This is the actual difference behind the iCloud Private Database default vs Advanced Data Protection. ADP, launched in iOS 16.2, raises most iCloud data classes from "Standard Protection" (Apple holds keys) to "Advanced" (only user holds keys). But ADP is opt-in, off by default, and not all iCloud data classes are eligible.

What ByteGuard Does

ByteGuard chooses the strongest setting regardless of whether the user has ADP on. The strategy:

  1. Use CloudKit Private Database (per-user scope, never Public)
  2. Encrypt every sensitive field with AES-256-GCM on the device before handing to CloudKit
  3. Use a per-vault Vault DEK (Data Encryption Key) wrapped by a KEK derived from the Master Password + Secret Key (never uploaded to Apple)
  4. Upload only ciphertext to CloudKit. Apple sees blobs.
ByteGuard sync data flow
Plaintext entry
→
Item Key (HKDF)
→
AES-256-GCM
→
CloudKit Private DB

This is what's called application-layer encryption: we don't trust Apple's transport or at-rest encryption to do the security work. We do it ourselves before the data ever leaves the device.

Why Not Just Rely on ADP?

Three reasons:

  1. ADP is off by default. Apple's own data shows the majority of users haven't enabled it. We can't make security depend on a setting most people don't change.
  2. ADP doesn't cover everything. Even with ADP, some metadata stays in Standard Protection (Apple holds keys): iCloud Mail, Contacts, Calendar. Apple can theoretically extend this list at any time.
  3. Belt and suspenders. If a future iOS bug temporarily downgrades ADP, our app-layer encryption is unaffected. The Vault DEK never enters Apple's keyring.

What Apple Can See, Concretely

Even with our app-layer encryption, Apple still sees:

  • Record metadata: which iCloud user owns the record, when it was created, when it was last modified, the record type ("Login" vs "Card" vs "Note"), the record size
  • Sync timestamps: roughly when you added/edited entries
  • The fact that you use the app: ByteGuard is a registered CloudKit container; Apple knows you use it (via your Apple ID)
  • Ciphertext blobs: indistinguishable from random bytes without the Vault DEK

Apple cannot see:

  • Your Master Password or Secret Key (never uploaded)
  • The Vault DEK (only the wrapped form lives in CloudKit, and the unwrapping KEK is local-only)
  • Any field content: usernames, passwords, URLs, notes, custom fields, TOTP secrets
  • Tag names, folder names, item titles (these are also encrypted as fields)

So a leaked Apple iCloud database, a court order, a rogue Apple insider — none of them get plaintext logins. They get ciphertext blobs and timestamps.

"But Wait — You Upload the Wrapped DEK to iCloud?"

Yes. This is the most-asked question about envelope encryption, so let's address it head-on.

Yes, the wrapped Vault DEK (Vault DEK encrypted by KEK) lives in CloudKit. That's how multi-device sync works — when you install ByteGuard on a second iPhone, it pulls the wrapped DEK from CloudKit, asks you for the Master Password + Secret Key locally, derives the KEK, and unwraps the DEK.

The question: "Doesn't this mean Apple has the Vault DEK?"

The answer: No, because Apple doesn't have the KEK.

Tech Note

The Vault DEK in CloudKit is wrapped with AES-256-GCM using the KEK as the key. The KEK is derived as HKDF-SHA256(MasterKey, info="vault-kek-v1") where MasterKey = Argon2id(MasterPassword + SecretKey, salt). None of MasterPassword, SecretKey, MasterKey, or KEK ever touches CloudKit. All four are derived on-device, used to unwrap, then zeroed.

An attacker who steals just the wrapped DEK has to brute-force the KEK. To brute-force the KEK, they have to brute-force the Master Password + Secret Key. The Secret Key alone is 128-bit random — that's 2¹²⁸ candidate KEKs. AES-256-GCM with a wrong key fails GCM authentication, so the attacker can't even tell when they've guessed right without trying — they have to do a full Argon2id derivation per guess.

This is why envelope encryption with a separate KEK is the same architectural pattern 1Password, Bitwarden, ProtonMail, Signal, and every other end-to-end encrypted system uses. The wrapped key being on the server is fine if the wrapping is strong.

What Changes If the User Has ADP

If the user has Advanced Data Protection enabled, Apple itself also can't decrypt the wrapped DEK from their side, because CloudKit Private Database under ADP is end-to-end encrypted at Apple's layer too.

So with ADP on, Apple effectively can't read either:

  • Our app-layer ciphertext (we never gave them keys)
  • The CloudKit storage layer (ADP encrypts that)

This is "double encryption" — Apple cooperating with our model rather than working around it. Recommended.

Without ADP, Apple's CloudKit layer is decryptable by Apple, but they only see our ciphertext blobs. Same security guarantee from the user's perspective, just one fewer layer of defense in depth.

Comparison: How Other Password Managers Handle iCloud Sync

ProductiCloud syncApp-layer encryptionApple-readable?
Apple KeychainNative (own pipeline, not CloudKit)iCloud Keychain uses E2E encryption with circle-of-trust device keysNo (per Apple Platform Security Guide)
1PasswordOptional (own servers + iCloud option historically)Yes (Secret Key + envelope)No
BitwardenOwn servers (or self-host)Yes (PBKDF2/Argon2id + envelope)N/A — doesn't use Apple servers
ByteGuardiCloud Private DatabaseYes (Argon2id + envelope, app-layer AES-256-GCM)No — only ciphertext blobs visible to Apple

Key Takeaways

  • "iCloud sync" doesn't automatically mean "Apple can read it". The app architecture matters more than the storage backend.
  • ByteGuard does app-layer AES-256-GCM before upload, regardless of whether the user has ADP. ADP is a bonus, not a requirement.
  • The wrapped DEK in CloudKit is a 32-byte ciphertext blob. Apple has it; without the KEK (which Apple never sees), it's useless.
  • Apple can see metadata: record type, timestamps, sync events, that you use the app. Apple cannot see content.
  • If you enable ADP on your Apple ID, you get a second independent layer of E2E encryption. Belt and suspenders — recommended for high-threat-model users.

The exact key derivation, IV handling, and per-item key separation are documented step-by-step in the Security Whitepaper.

Download ByteGuard on the App Store