MainspringGuides › Advanced Data Protection
macOS Guide

Turn On Advanced Data Protection for iCloud on Mac

Updated July 2026 · 2 min read

By default, Apple holds encryption keys for most of your iCloud data — convenient for account recovery, but it means Apple could read it and can be compelled to hand it over. Advanced Data Protection flips that: your devices hold the keys, Apple can't. The price is that account recovery becomes entirely your responsibility.

What changes when you turn it on

Standard iCloud already end-to-end encrypts the most sensitive categories — passwords, Health data, Messages in iCloud (mostly; see below). Advanced Data Protection extends end-to-end encryption to the big remaining ones: iCloud Drive, Photos, Notes, Reminders, device backups, Messages backups, Safari bookmarks, Voice Memos, and more — the bulk of what a typical account stores. After the switch, nobody without one of your trusted devices or your recovery method can decrypt that data. Not a hacker who phishes Apple support, not Apple itself, not a subpoena.

Three categories stay conventionally encrypted because they interoperate with global standards: Mail, Contacts, and Calendar. Email has to talk to other mail servers; contacts and calendars sync with other systems. If those need secrecy, that's what other tools are for.

Set up recovery first — Apple can't reset this for you

This is the deal you're signing: with Apple keyless, forgetting your password with no recovery method means the data is gone. Permanently. Apple support can sympathise but not decrypt. So macOS refuses to enable the feature until at least one of these exists:

Set up both if you can. A recovery contact who's moved on plus a key you never printed is how people actually lose libraries.

Turn it on

  1. Update every device signed in to your account — all devices must be on at least macOS 13.1 / iOS 16.2 (or be removed from the account; the setup flow lists offenders).
  2. Open System Settings, click your name, then iCloud.
  3. Scroll to Advanced Data Protection and click Turn On.
  4. Follow the verification of your recovery method, confirm with your Mac's login password, and you're done — encryption keys are removed from Apple's servers.

The day-to-day differences

Almost none, on your devices — apps work identically. The visible change is iCloud.com: web access to your data requires per-session approval from one of your trusted devices, because the browser needs to be handed keys deliberately (you can also disable web access entirely under the iCloud settings). Shared content is protected only when everyone in the share has ADP; a shared album is only as private as its least-protected member. And turning it off is one click on the same screen — your devices upload the keys back to Apple and standard protection resumes, so the decision isn't irreversible in either direction.

Security settings, minus the spelunking

Mainspring surfaces the Mac's privacy and security switches — along with 90+ other hidden macOS settings — as labelled, reversible toggles you can act on in one sitting.

Try Mainspring free →

Signed & notarized by Apple · 1-day free trial · $29 once