For fault tolerance, we encourage organizations to use a multi-region key (MRK) to replicate the key material across multiple key management system (KMS) instances in some of the data centers in which Zoom operates. Depending on the needs of the organization, key management tasks such as creation and replication, rotation, revocation, and deletion of keys can be handled three different ways.
Note: See our article if you are looking for a detailed overview of Customer Managed Key.
This article covers:
This option automates most key management task with a few initial steps:
If the organization wants to deactivate encryption/decryption, the key can be disabled from the AWS portal or access can be restricted by modifying the IAM access policy.
AWS can also automate annual key rotation:
The key’s Id and IAM policy stays the same in this case. The prior key material is still maintained to allow for decryption of already encrypted assets (customer managed key does not re-key the assets with the new key).
This automates most key management tasks. It does not allow for key deletion or deactivation of specific key material though.
For more control, an organization can use manual rotation:
If an organization prefers to generate and backup its own keys, the organization can set up its own HSM, then create an empty multi-region key (MRK) and load it with the organization's HSM key in the primary KMS. The organization would then load its replicas and activate the key the same as the manual method.