Note: As our world comes together to slow the spread of COVID-19 pandemic, the Zoom Support Center has continued to operate 24x7 globally to support you. Please see the updated Support Guidelines during these unprecedented times.




End-to-end (E2E) encryption for meetings Follow

Overview

End-to-end (E2E) encryption for meetings is now available. Account owners and admins can enable end to end encryption for meetings, providing additional protection when needed. Enabling end to end encryption for meetings requires all meeting participants to join from the Zoom desktop client, mobile app, or Zoom Rooms. 

Enabling this setting also disables the following features: join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions.

Users will not be able to join by telephone, SIP/H.323 devices, on-premise configurations, or Lync/Skype clients, as these endpoints cannot be encrypted end to end. Zoom web client and third-party clients leveraging the Zoom SDK are also not supported at launch.

This article covers:

Prerequisites

  • Zoom desktop client
    • Windows: 5.4.0 or higher
    • macOS: 5.4.0 or higher
    • Linux: 5.4.0 or higher
  • Zoom mobile app
    • Android: 5.4.0 or higher
    • iOS: 5.4.0 or higher
  • Zoom Rooms for Conference Room
    • PC: 5.2.2 or higher
    • macOS: 5.2.2 or higher
    • Appliances: 5.2.2 or higher

Zoom web client and third-party clients leveraging the Zoom SDK are not currently supported. Users will not be able to join by telephone, SIP/H.323 devices, on-premise configurations, or Lync/Skype clients, as these endpoints cannot be encrypted end to end.

Free accounts can use end-to-end encryption, but will need to have a valid billing option associated with their account and verify their phone number.

Firewall and proxy server settings

3.138.115.0/27
44.242.143.128/27
Port 443

Enabling end-to-end encryption for meetings

Because end-to-end encryption is in technical preview and disables several other features, we recommend using E2E only for meetings where additional protection is needed. After enabling E2E, you can choose your default encryption type.

Account

To enable End-to-end (E2E) encrypted meetings for all users in the account:

  1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
  2. In the navigation panel, click Account Management then Account Settings.
  3. Click the Meeting tab.
  4. Under Security, verify that Allow use of end-to-end encryption is enabled.
  5. If the setting is disabled, click the toggle to enable it. If a verification dialog displays, click Turn On to verify the change.
  6. (Optional) If you want to make this setting mandatory for all users in your account, click the lock icon, and then click Lock to confirm the setting.
  7. Under Security, choose the default encryption type.
  8. Click Save.
    Note: Because of the limitations of E2E, we recommend using Enhanced encryption as the default encryption type and using end-to-end encryption for meetings where additional protection is required.

Group

To enable End-to-end (E2E) encrypted meetings for a group of users:

  1. Sign in to the Zoom web portal as an admin with the privilege to edit groups.
  2. In the navigation panel, click User Management then Group Management.
  3. Click the applicable group name from the list, then click the Settings tab.
  4. Click the Meeting tab.
  5. Under Security, verify that Allow use of end-to-end encryption is enabled.
  6. If the setting is disabled, click the toggle to enable it. If a verification dialog displays, click Turn On to verify the change.
    Note: If the option is grayed out, it has been locked at the account level and needs to be changed at that level.
  7. (Optional) If you want to make this setting mandatory for all users in the group, click the lock icon, and then click Lock to confirm the setting.
  8. Under Security, choose the default encryption type.
  9. Click Save.
    Note: Because of the limitations of E2E, we recommend using Enhanced encryption as the default encryption type and using end-to-end encryption for meetings where additional protection is required.

User

To enable End-to-end (E2E) encrypted meetings for your own use:

  1. Sign in to the Zoom web portal.
  2. In the navigation panel, click Settings.
  3. Click the Meeting tab.
  4. Under Security, verify that Allow use of end-to-end encryption is enabled.
  5. If the setting is disabled, click the toggle to enable it. If a verification dialog displays, click Turn On to verify the change.
    Note: If the option is grayed out, it has been locked at either the group or account level. You need to contact your Zoom admin.
  6. Under Security, choose the default encryption type.
  7. Click Save.
    Note: Because of the limitations of E2E, we recommend using Enhanced encryption as the default encryption type and using end-to-end encryption for meetings where additional protection is required.

Using end-to-end encryption for meetings

Once you’ve joined the meeting, check for the green shield icon in the upper left corner of the meeting window.

The meeting host can also read the security code aloud and the participants can verify that their codes match.

Frequently asked questions

How does Zoom provide end-to-end encryption?
Zoom’s E2EE offering uses public key cryptography. In short, the keys for each Zoom meeting are generated by participants’ machines, not by Zoom’s servers. Encrypted data relayed through Zoom’s servers is indecipherable by Zoom, since Zoom’s servers do not have the necessary decryption key. This key management strategy is similar to that used by most end-to-end encrypted messaging platforms today.

When would I use E2EE?
E2EE is best for when you want enhanced privacy and data protection for your meetings, and is an extra layer to mitigate risk and protect sensitive meeting content. While E2EE provides added security, some Zoom functionality is limited in this first E2EE version (more on that below). Individual Zoom users should determine whether they need these features before enabling this version of E2EE in their meetings.

Do I have access to all the features of a regular Zoom meeting?
Not right now. Enabling this version of Zoom’s E2EE in your meetings disables certain features, including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions.

Do free Zoom users have access to end-to-end encryption?
Yes. Free and paid Zoom accounts joining from Zoom’s desktop client or mobile app, or from a Zoom Room, can host or join an E2EE meeting.

How is this different from Zoom’s enhanced GCM encryption?
Zoom meetings and webinars by default use AES 256-bit GCM encryption for audio, video, and application sharing (i.e., screen sharing, whiteboarding) in transit between Zoom applications, clients, and connectors. In a meeting without E2EE enabled, audio and video content flowing between users’ Zoom apps is not decrypted until it reaches the recipients’ devices. However, the encryption keys for each meeting are generated and managed by Zoom’s servers. In a meeting with E2EE enabled, nobody except each participant – not even Zoom’s servers – has access to the encryption keys being used to encrypt the meeting.

How do I verify that my meeting is using end-to-end-encryption?
Participants can look for a green shield logo in the upper left corner of their meeting screen with a padlock in the middle to indicate their meeting is using E2EE. It looks similar to our GCM encryption symbol, but the checkmark is replaced with a lock. 

Participants will also see the security code that they can use to verify the secure connection. The host can read this code out loud, and all participants can check that their clients display the same code.

How will you continue to provide a safe and secure platform?
Zoom’s top priority is the trust and safety of our users, and our implementation of E2EE will allow us to continue to enhance safety on our platform. Free/Basic users seeking access to E2EE will participate in a one-time verification process that will prompt the user for additional pieces of information, such as verifying a phone number via text message. Many leading companies perform similar steps to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our work with human rights and children’s safety organizations and our users’ ability to lock down a meeting, report abuse, and a myriad of other features made available as part of our security icon — we can continue to enhance the safety of our users.

What is the rest of the timeline for E2EE?
We plan to roll out better identity management and E2EE SSO integration as part of Phase 2, which is tentatively roadmapped for 2021.