Using Customer Managed Key

Last Updated:

The Customer Managed Key service allows organizations to provide and manage their own encryption keys for certain customer content stored in the Zoom Cloud. The organization needs to manage the keys in the Amazon Web Services Key Management Service (AWS KMS). This allows for encryption of applicable content stored in the Zoom Cloud using the keys that the organization controls.

The following types of content are protected by Customer Managed Key:

  • Meeting/Webinar recordings and archives, including associated transcripts and in-meeting chat texts
  • User calendar tokens and Zoom Room calendar tokens
  • Microsoft Teams tokens

This article covers:

Prerequisites for using Customer Managed Key

  • Zoom desktop client
    • Windows: 5.7.6 or higher
    • macOS:  5.7.6 or higher
    • Linux: 5.7.6 or higher
  • Zoom mobile client 
    • Android: 5.7.6 or higher
    • iOS:  5.7.6 or higher
  • Zoom Enterprise account
  • Administrator access to AWS account
  • Administrator access to the Zoom web portal

How to set up your AWS account           

To set up your AWS account, sign up at https://aws.amazon.com/ 

Where to create an AWS KMS key

Create your KMS in the same location/region where you have configured your account data to reside. This is US East 1 region by default.

How to configure Customer Managed Key in AWS

The AWS KMS keys that you create are considered Customer Managed Keys. Customer Managed Keys are KMS keys in your AWS account that you create, own, and manage. Before you get started with Customer Managed Key service in the Zoom cloud, follow the steps below:

  1. Create a KMS key with the following configuration:
    • Key type: Symmetric
    • Key usage: Encrypt and decrypt
    • Key material origin: KMS
    • Regionality: Multi-Region key
  2. Replicate the KMS key to other AWS regions you wish to host the key in, for redundancy. 
  3. Configure your key policy and IAM (Identity access management) policy appropriately in all of your AWS regions to specify access to your keys by copying and editing the template below into your AWS console.

Configuring your key’s policy

In order to configure your key’s policy, go to the Customer Managed Key page in the Encryption Keys section of the AWS KMS management console. The first time you edit the generated key policy, you have to click Switch to policy view in order to see and edit the JSON representation. 

Editing the JSON allows you to do the following:

  • Allow-list the Zoom Key Broker AWS account number
  • Specify which AWS KMS methods are permitted

Note: Remember to include your unique customer account number from your Zoom representative. 

This is an example template of a key policy that you could customize to meet your organization's needs:

{ "Version": "2012-10-17",

    "Statement": [

        {   "Effect": "Allow",

            "Principal": {

                    "AWS": "arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:root"

                        },

                    "Action": "kms:*",

                    "Resource": "*"

        },

        {

            "Effect":"Allow",

            "Principal": {

                "AWS": [

                    "arn:aws:iam::409910850980:root"

                ]

        },

        "Action": [

                "kms:Decrypt",

                "kms:DescribeKey",

                "kms:GenerateDataKey*"

        ],

        "Resource":"*"       

    }

]

}

Once you set up replication of your key to another region, the key policy will be copied, but thereafter you need to make policy changes for each region separately.                           

How to assign Customer Managed Key licenses to users

Users with assigned Customer Managed Key licenses will have their data encrypted. 

  1. Sign in to the Zoom web portal.
  2. Click User Management, then Users.
  3. Locate the user(s) you want to assign a license to. Check the box to the left of the user’s name then click the License drop down. 
  4. Cilck Zoom Customer Managed Key, then check the box next to the Feature
  5. Click Save

How to enroll your keys with Zoom

  1. Sign in to the Zoom web portal.
  2. In the navigation menu, click Account Management then Security.
  3. Under Customer Managed Key, click Create Keyset.
  4. Enter the key information and click Create. Enter the ARN of the KMS key.
  5. A message will appear displaying the ARNs that will be used for different regions. Click Continue when you are done reviewing. 
  6. Click + Add Services and determine which items will be encrypted. Place a check in the box next to any of the data types / services you want encrypted with your key, then click Add.   
  7. (Optional) Click Users if you still need to assign licenses designating which users’ data will be encrypted.
  8. Click +Add recipient and add the users who will be notified by email if there is a key status change.

How to edit your keyset

  1. Sign in to the Zoom web portal.
  2. In the navigation menu, click Account Management then Security.
  3. Under Customer Managed Key, click Rotate Key.
  4. Add the key information and click Save.

Approaches to managing keys

To learn more about different approaches to managing keys, such as auto key rotation, manual key management, and external HSM key management, see Key management concepts.

Customer Managed Key deprovisioning

  1. If you want to revert to let Zoom manage encryption, schedule a date with your Zoom representative to deprovision this service.
    NOTE: Organization’s must keep their key available until the Zoom representative informs them that it can be deactivated. 
  2. Your Zoom representative will confirm the deprovisioning dates with our operations team.
  3. Your Zoom representative will let you know once deprovisioning has concluded, so that you can disable your keys.

Limitations

  • Keys are unreachable
    If Zoom cannot access the customer’s KMS key, then the functionality tied to key management, e.g., recording and viewing will fail. Once Customer Managed Key is enabled, it is important to have one or more KMS keys available for Zoom for encryption and decryption. If the organization wishes to deprovision Customer Managed Key, an administrator must work with a Zoom representative to plan a date for the deprovisioning. If the KMS key becomes unreachable, then functionality will be affected and Zoom cannot provide support.
  • Adding more keys
    After initial key set enrollment, organizations need to ensure that these keys stay accessible for future decryption. However, by following the edit keyset workflow, they can add new KMS keys by providing their ARN. The system will test the newly supplied keys to ensure they represent the same key material stored in these keys, and allow the workflow to complete.
  • Enrolling new keys
    Once an organization enrolls its KMS keys with Zoom, the supported types of assets are encrypted with customer-supplied keys from that point in time forward. Data that was created preceding key enrollment is still protected using a key that is managed by Zoom. That data is not re-encrypted using customer-supplied keys.
  • Configuring keys
    Users should always enter ARN’s of KMS keys in descending priority order. Enter the ARN of the primary key first, the ARN of the secondary key second, and the ARN of the tertiary key third, etc.
  • Zoom Phone
    Administrators can configure Zoom Phone to drop calls if encryption/decryption keys are not available for operation.
  • Uploading Recordings
    Users can upload a local recording to the Zoom cloud. Customer Managed Key does not protect these assets.

 

Zoom Community

Join the 100K+ other members in the Zoom Community! Login with your Zoom account credentials and start collaborating.