Using CloudKit end-to-end encrypti… | Apple Developer Forums

Using CloudKit end-to-end encryption

I'm looking for guidance on using CloudKit end-to-end encryption for an app I'm building. I'd like to offer the same strong privacy guarantees many Apple services offer, but it seems these may rely on private CloudKit APIs.

As the Apple Platform Security guide explains (https://support.apple.com/guide/security/cloudkit-end-to-end-encryption-sec3cac31735/web):

Many Apple services, listed in the Apple Support article iCloud security overview, use end-to-end encryption with a CloudKit Service Key protected by iCloud Keychain syncing. For these CloudKit containers, the key hierarchy is rooted in iCloud Keychain and therefore shares the security characteristics of iCloud Keychain—namely, the keys are available only on the user’s trusted devices, and not to Apple or any third party.

Talk of a CloudKit Service Key makes it sound like this uses a built-in encryption feature.

That seems to be confirmed by this remark in an academic paper on CloudKit architecture (CloudKit: Structured Storage for Mobile Applications, can't include a link to a PDF apparently):

CloudKit supports encrypted field values, available in the private database.

While I could generate a key on the device and store it in iCloud Keychain to safely share it with the user's other trusted devices, that means I'd have to manually encrypt and decrypt CKRecord fields and attachment data, losing type-safety in the process. It seems doable, but I'm wondering whether I'm missing anything and if there isn't an easier and possibly more efficient and secure built-in way to implement this.

I asked a similar question about this last year, but I was hoping someone from Apple wants to chime in now that the forums have become more active again.