Using Customer Managed Key with Azure Key Vault
The Customer Managed Key service allows organizations to provide and manage their own encryption keys for certain customer content stored in the Zoom Cloud. Zoom supports Amazon Key Management Service (KMS), Oracle OCI Vault, or Azure Key Vault. Organizations need to manage the keys with one of these cloud KMS providers. This allows for encryption of applicable content stored in the Zoom Cloud using the keys that the organization controls.
Note: Please refer to our list for more information on all the Zoom services and assets supported with Customer Managed Key.
This article covers:
Prerequisites for using Customer Managed Key
- Zoom desktop client
- Zoom mobile client
- Zoom Enterprise account
- Administrator access to AWS account
- Administrator access to the Zoom web portal
Limitations of Customer Managed Key
- Keys are unreachable
If Zoom cannot access the customer’s KMS key, then the functionality tied to key management, e.g., recording and viewing will fail. Once Customer Managed Key is enabled, it is important to have one or more KMS keys available for Zoom for encryption and decryption. If the organization wishes to deprovision Customer Managed Key, an administrator must work with a Zoom representative to plan a date for the deprovisioning. If the KMS key becomes unreachable, then functionality will be affected and Zoom cannot provide support. - Enrolling new keys
Once an organization enrolls its KMS keys with Zoom, the supported types of assets are encrypted with customer-supplied keys from that point in time forward. Data that was created preceding key enrollment is still protected using a key that is managed by Zoom. That data is not re-encrypted using customer-supplied keys. - Uploading Recordings
Users can upload a local recording to the Zoom cloud. Customer Managed Key does not protect these assets.
Configurable options available through Zoom
Zoom Phone
Administrators can configure Zoom Phone to drop calls if encryption/decryption keys are not available for operation. This option needs to be requested via a Support ticket.
How to use Customer Managed Key with AKV
How to set up your Azure account
To set up AKV, you can either use Azure portal, Azure CLI or Azure Powershell. For specific details you can refer to the Azure key vault configuration guidelines.
Where to create an AKV key
Within the Azure portal, select the Keys on the left, then select + Generate/Import. Ensure that the generated Key Type is RSA.
How to configure Customer Managed Key in AKV
Enter a Name for your key. Select Create to start the deployment.
Select the key and make a note of the key identifier. It is composed of the key value Uri, the key name and the key version. It can be copied into the clipboard and it will be used when you enroll these keys with the Key Broker.
Grant Key Broker access to the customers keyset
We will be using the guidelines provided in the following Azure configuration document.
- Create a service principal with the application ID: b5cc480a-fb7b-421b-9cff-7d366a268531 using the following Azure PowerShell command:
New-AzADServicePrincipal -ApplicationId b5cc480a-fb7b-421b-9cff-7d366a268531 - Grant the Key Broker application access and a user role for accessing the Azure Keys.
- Navigate to your key and select Access control (IAM). Then under the Grant access to this resource section, select Add role assignment.
- Search for and select Key Vault Crypto Service Encryption User.
- Under Members, select User, group or service principal. Search and select Zoom CMK Key Broker.
- Select Review + Assign
How to enroll your keys with Zoom
- Sign in to the Zoom web portal.
- In the navigation menu, click Advanced then Security.
- Under Customer Managed Key, click Add Key.
- Choose Azure Key Vault.
- Enter the Vault URI and key name information and click Add.
- Click + Add Services and determine which items will be encrypted. Place a check in the box next to any of the data types / services you want encrypted with your key, then click Add.
- Click +Add recipient and add the users who will be notified by email if there is a key status change.
How to assign Customer Managed Key licenses to users
Users with assigned Customer Managed Key licenses will have their data encrypted.
- Sign in to the Zoom web portal.
- Click User Management, then Users.
- Locate the user(s) you want to assign a license to. Check the box to the left of the user’s name then click the License drop down.
- Cilck Zoom Customer Managed Key, then check the box next to the Feature.
- Click Save.
How to edit your keyset
- Sign in to the Zoom web portal.
- In the navigation menu, click Advanced then Security.
- Under Customer Managed Key, click Rotate Key.
- Add the key information and click Save.
How to log activity
To monitor how and when your key vaults are accessed, you can leverage Azure Key Vault Logging.
Approaches to managing keys
To learn more about different approaches to managing keys, such as auto key rotation, manual key management, and external HSM key management, see Key management concepts.
Guidelines to help monitor keys
Fallback Control
Access to the customer’s key at all times is critical to create and access any content which has been selected to be secured by CMK. Zoom not only encourages the use of replicated keys, but also supports a global "fallback control" option. If enabled and the customer’s key is not available for any reason, CMK falls back to a Zoom provided backup key for encryption. If the fallback option is not enabled and the customer’s key is not available, content will not be stored. Zoom Phone has specific settings that do not record or drop calls in case the customer’s key is inaccessible and fallback control is not enabled.
Once the customer’s key becomes available again, CMK will re-encrypt all content with the customer’s key.
Customer Managed Key deprovisioning
- If you want to revert to let Zoom manage encryption, schedule a date with your Zoom representative to deprovision this service.
NOTE: Organization’s must keep their key available until the Zoom representative informs them that it can be deactivated. - Your Zoom representative will confirm the deprovisioning dates with our operations team.
- Your Zoom representative will let you know once deprovisioning has concluded, so that you can disable your keys.