← Blog
Guide 2025-06-08 · 4 min read

Encrypted backups are
better, actually.

A small, counterintuitive truth about iPhone backups: ticking the "Encrypt local backup" box gives you more data to recover later, not less. Here's why — and what the encryption is actually doing under the hood.

When people see the word encrypted next to a backup option, the instinct is to assume it means more protection and less access. As in: if I encrypt this, I'll lock myself out of my own stuff.

It's the opposite. Encrypted iPhone backups contain more data than unencrypted ones, on purpose. Apple treats the encryption password as a signal that you're serious about controlling your data, and rewards that signal by including sensitive categories it otherwise withholds.

What you get only when encrypted

The list of data that appears in encrypted backups and is absent from unencrypted ones:

If you've ever set up a new iPhone and had to re-enter every Wi-Fi password at every friend's house, that's why: your last backup was unencrypted, so Wi-Fi credentials were missing from it.

What the encryption is actually doing

When you tick "Encrypt local backup" and set a password, iOS does the following (simplified; the real scheme has more moving parts):

  1. Derives a key from your password using PBKDF2 — a key-stretching algorithm that takes your password and hashes it a couple million times to make brute-force attacks slow. On recent iOS versions this is PBKDF2-SHA256 with 10,000,000 iterations.
  2. Generates a random per-file key for every file in the backup.
  3. Wraps each per-file key with the password-derived key, using AES key-wrap.
  4. Writes the wrapped keys into Manifest.plist alongside the metadata.
  5. Encrypts the file contents with the per-file keys using AES.

The important property: the password never leaves your computer. Neither the phone nor Apple nor OpenExtract stores it anywhere. The password is only used to derive keys at the moment you open the backup.

The password protects the data, not the tool

A common misunderstanding: people think "I need a tool that supports encrypted backups" means the tool holds some special decryption capability. It doesn't. Any tool that supports encrypted iPhone backups works the same way: you type the password, the tool runs the standard PBKDF2 + AES key-wrap derivation Apple documents, and the backup decrypts. The math is identical whether the tool is open source or closed, free or paid.

This matters because it means the security of your data doesn't depend on choosing the right vendor. It depends on choosing a strong password and remembering it. (Which, to be honest, is a much higher bar than most people realize.)

The practical part

Enabling an encrypted backup is two clicks:

Once you've turned encryption on, every future backup from that computer is encrypted with the same password until you turn it off. You don't have to do it again.

The one real tradeoff

There is no recovery. If you forget the password, Apple has no way to reset it, and neither does any third-party tool. We're not able to help you either. (We mean this literally — there is no clever workaround we're holding back. There's no backdoor.)

So: pick a password you will genuinely remember, or write it somewhere permanent. A physical password manager, a notebook in a safe, a key in a sealed envelope. This is the kind of password you'll need in ten years, not next Tuesday.

The one-line takeaway

Tick the box. Pick a password. Write it down. Your future self — the one trying to recover something important from an old backup — will be grateful.

— OpenExtract

Keep reading
What's actually in an iPhone backup → What "open source" actually means for a tool like this →
Ready to get your data?
Free, open source, nothing uploaded. Mac · Windows · Linux.
Download OpenExtract →