All you need to know about end-to-end encryption in WhatsApp (2025 guide)

WhatsApp locks every personal chat, call, photo, and video with end-to-end encryption (E2EE). Only you and the person you talk to hold the cryptographic keys, so nobody in the middle, including WhatsApp, can read or listen.

Sounds great. The only problem is that your cloud backup stays outside that shield until you switch on E2EE for backups. This guide walks you through turning it on, checking that it works, protecting your keys, and fixing common hiccups.

What is end-to-end encryption in WhatsApp?

End-to-end encryption ensures that only you and the person you’re communicating with can read or listen to what is sent. No one else can access your messages, not even WhatsApp. When you send a message, it gets encrypted on your device and can only be decrypted on the recipient’s device.The most important thing to know is that you don’t need to do anything to turn on E2EE for chats. WhatsApp enables it automatically for everyone. When you send a message, WhatsApp encrypts it using the recipient’s public key before it leaves your device. The message travels encrypted to WhatsApp’s servers, which act as relays but can’t decrypt the content. When the message reaches the recipient’s device, it’s decrypted using their private key. (WhatsApp uses E2EE for group chats as well, though the encryption mechanism is a bit more complex due to multiple participants.)

WhatsApp uses the Signal Protocol, widely regarded as one of the most secure encryption protocols for messaging. It generates unique encryption keys for each conversation, and in practice, even for each message.

Enabling end-to-end encrypted backups on Google Drive or iCloud

While your live chats are automatically encrypted, the backups of your chat history stored in the cloud are a different story. By default, backups you save to Google Drive or Apple’s iCloud are not protected by WhatsApp’s end-to-end encryption.

The cloud providers offer their own security, but for complete privacy, you can and should enable E2EE for your backups. This gives your saved chat history the same level of protection as your sent messages.

Activating this feature is straightforward:

1. Tap the three vertical dots > Settings > Chats > Chat backup.
   
2. Tap End-to-end encrypted backup and tap Create.
   
3. Choose Create password (as we did in this tutorial) or Use 64-digit encryption key instead and tap Next.
   
4. Tap Create to create your end-to-end encrypted backup.

Note for iPhone users: If you use iCloud Backup for your entire iPhone, enabling WhatsApp’s E2EE backup will automatically exclude your WhatsApp chat history from the device backup. This is a security measure to prevent your private key from being stored unencrypted in iCloud.

A word of caution: if you lose your phone and forget your password or key, WhatsApp can’t help you recover your backup. The key is stored only with you, making your backup inaccessible without it. This is a direct trade-off for having complete control over the security of your data.

How to verify that your WhatsApp chats are encrypted

While WhatsApp’s encryption is automatic, you can add another layer of security by verifying your connection with a contact using a security code. This process confirms that your messages and calls are going to the right person and that the connection has not been compromised by a third party. Here’s how to do it:

1. Open the chat you want to check. Tap the contact’s name > Encryption. You will see an option to Scan a QR code or Compare a 60-digit number.
   
2. Scan each other’s QR codes or compare the digits over a trusted call. Matching codes confirm both of you hold the right keys.
   

How to keep your encryption key secure

When you enable end-to-end encrypted backups, you are responsible for keeping your password or 64-digit key safe. Here’s how you can protect your password or key.

Choosing a strong password for your encrypted backup

If you choose a password to protect your backup, make it a strong one. Avoid common words, personal information like birthdays or names, and simple patterns. A strong password should be long, at least 12 characters, and contain a mix of uppercase letters, lowercase letters, numbers, and symbols. Most importantly, use a password that you don’t use for any other website or application.

Where and how to safely store your key

If you opt for the 64-digit encryption key, you must store it somewhere safe. Write the 64-digit key on paper and store it in a secure location that only you can access. Better yet, add the password to a reputable password manager.

Never share your encryption key or password with anyone else. This key is what protects your backup from unauthorized access.

Entering the wrong key or password five times locks further attempts until a waiting period passes. If you want to change the password but forget the old one, you can turn off encrypted backups, set a new password, and then create a fresh backup.

Tip: Store the 64-digit key in ExpressVPN Keys, the password manager included with every ExpressVPN plan. Keys encrypts your vault on your device before anything syncs, so only you can read what’s inside.

Troubleshooting end-to-end encryption

Most of the time, WhatsApp’s encryption works silently in the background. But some users may have questions or run into issues, especially with the encrypted backup feature. Here are solutions to some common problems.

Why can’t I turn on encryption?

You do not need to. E2EE for personal messages and calls is always on by default and cannot be turned off. The only feature you need to enable manually is the end-to-end encrypted backup.

What to do if your backup isn’t encrypting

If activating E2EE backup fails, first check that you have a stable internet connection. The initial backup can use a lot of data. Second, ensure you have the latest version of WhatsApp. Finally, try restarting your phone to clear any temporary glitches. If the problem persists, you can turn the feature off and then on again.

How to recover encrypted chats on a new phone

Install WhatsApp, verify your number, and then enter the backup password or key when prompted. You cannot restore on linked devices such as WhatsApp Web; recovery must happen on the phone that owns the number.

Other privacy and security settings you should switch on

E2EE is the foundation of WhatsApp’s security, but you can add extra layers of protection, such as enabling 2FA, fingerprint or Face ID lock, etc. A great place to start is the Privacy Checkup feature, which guides you through your options.

1. Find it in Settings > Privacy > Privacy checkup.
   
2. Then work through the options displayed there one by one.
   

Controlling who can add you to groups

Manage who can add you to groups to prevent unknown people from adding you to unwanted groups.

1. Tap Settings > Privacy > Groups.
   
2. Select one of the following options: Everyone, My contacts, or My contacts except…
   

Selecting “My contacts” strikes a good balance between convenience and privacy, as it prevents anyone not in your address book from adding you. If someone not in your contacts tries to add you to a group, they'll receive an invitation option instead. You have three days to accept the invitation before it expires.

Protect IP address in calls

For added privacy during calls, WhatsApp offers a feature to conceal your IP address from the person you are calling.

Normally, to get the best call quality, WhatsApp creates a direct peer-to-peer connection between you and your contact. Although it’s efficient, this direct link can make your IP address (which contains information about your general location) visible to the other party.

When you enable this setting, WhatsApp relays all your calls through its servers, replacing your IP address with that of the server. But this is a direct trade-off between privacy and performance; while your location information is protected, you may notice a decrease in call quality.

Tip: You can get the same result with a VPN and more. ExpressVPN hides your real IP address across every app on your device. This keeps your location (and IP address) private during calls, as the person you’re calling only sees the VPN exit IP. It also protects your data when you’re browsing the web or using other services.