Using Customer Managed Key with OCI Vault

The Customer Managed Key service allows organizations to provide and manage their own encryption keys for certain customer content stored in the Zoom Cloud. Zoom supports Amazon Key Management Service (KMS), Oracle OCI Vault, or Azure Key Vault. Organizations need to manage the keys with one of these cloud KMS providers. This allows for encryption of applicable content stored in the Zoom Cloud using the keys that the organization controls.


This article covers:

Prerequisites for using Customer Managed Key

Limitations of Customer Managed Key

Configurable options available through Zoom

Zoom Phone

Administrators can configure Zoom Phone to drop calls if encryption/decryption keys are not available for operation. This option needs to be requested via a Support ticket

How to use Customer Managed Key with OCI

How to set up your OCI account           

To set up your Oracle account, sign up for an Oracle Cloud Account.

Where to create an OCI Vault key

Create a Vault by selecting Identity & Security from the Oracle Cloud Infrastructure Console and then Vault (default selection). Additionally, one can define several options for these keys to support rotation, cross-region backup, etc. as required.

How to configure Customer Managed Key in OCI

The OCI Key Vault keys that you create are considered Customer Managed Keys. Customer Managed Keys are the Key Vault keys in your Oracle account that you create, own, and manage.

Configuring your key’s policy

To configure your key’s policy, it is recommended to create a new compartment for isolation. Only allow Zoom Customer Managed Key (CMK) to access the vault resources under this compartment, and then add the following key policy:

Define tenancy ZoomCMK as OCID: ocid1.tenancy.oc1..aaaaaaaat53ohyp5y7k4fiat6nqjsbt4yycrbqk5uixvut3g3jewutnfplaa

Define group CMKKeyBroker as OCID:

Admit group CMKKeyBroker of tenancy ZoomCMK to use key-family in compartment {config compartment} where any {request.operation='Decrypt',request.operation='GenerateDataEncryptionKey’,request.operation=’Encrypt’}  

For more information on OCI Vault, its policies and other configuration guidelines please refer to their configuration docs.             

How to enroll your keys with Zoom

  1. Sign in to the Zoom web portal.
  2. In the navigation menu, click Advanced then Security.
  3. Under Customer Managed Key, click Add Key.
  4. Choose Oracle Key Vault.
  5. Enter the key information and click Create. Enter the OCID and the cryptographic endpoint  of the OCI Vault key.
  6. A message will appear displaying the OCIDs that will be used for different regions. Click Continue when you are done reviewing. 
  7. Click + Add Services and determine which items will be encrypted. Place a check in the box next to any of the data types / services you want encrypted with your key, then click Add.   
  8. (Optional) Click Users if you still need to assign licenses designating which users’ data will be encrypted.
  9. Click +Add recipient and add the users who will be notified by email if there is a key status change.

How to assign Customer Managed Key licenses to users

Users with assigned Customer Managed Key licenses will have their data encrypted. 

  1. Sign in to the Zoom web portal.
  2. Click User Management, then Users.
  3. Locate the user(s) you want to assign a license to. Check the box to the left of the user’s name then click the License drop down. 
  4. Click Zoom Customer Managed Key, then check the box next to the Feature
  5. Click Save

How to edit your keyset

  1. Sign in to the Zoom web portal.
  2. In the navigation menu, click Advanced then Security.
  3. Under Customer Managed Key, click Rotate Key.
  4. Add the key information and click Save.

How to log activity

To monitor how and when your key vaults are accessed, you can leverage the OCI Cloud Audit Service.

Approaches to managing keys

To learn more about different approaches to managing keys, such as auto key rotation, manual key management, and external HSM key management, see the Oracle Key Management FAQ.

Guidelines to help monitor keys

Fallback Control

Access to the customer’s key at all times is critical to create and access any content which has been selected to be secured by CMK. Zoom not only encourages the use of replicated keys, but also supports a global "fallback control" option. If enabled and the customer’s key is not available for any reason, CMK falls back to a Zoom provided backup key for encryption. If the fallback option is not enabled and the customer’s key is not available, content will not be stored. Zoom Phone has specific settings that do not record or drop calls in case the customer’s key is inaccessible and fallback control is not enabled.

Once the customer’s key becomes available again, CMK will re-encrypt all content with the customer’s key.

Customer Managed Key deprovisioning

  1. If you want to revert to let Zoom manage encryption, schedule a date with your Zoom representative to deprovision this service.
    NOTE: Organization’s must keep their key available until the Zoom representative informs them that it can be deactivated. 
  2. Your Zoom representative will confirm the deprovisioning dates with our operations team.
  3. Your Zoom representative will let you know once deprovisioning has concluded, so that you can disable your keys.