Key management concepts

For fault tolerance, we encourage organizations to use a multi-region key (MRK) to replicate the key material across multiple key management system (KMS) instances in some of the data centers in which Zoom operates. Depending on the needs of the organization, key management tasks such as creation and replication, rotation, revocation, and deletion of keys can be handled three different ways.

Note: See our article if you are looking for a detailed overview of Customer Managed Key. 

This article covers: 

Prerequisites for using customer managed key

How to use auto key management

This option automates most key management task with a few initial steps:

  1. Create a multi-region-key (MRK) key with the initial key material in the key management system (KMS) you plan to use as your primary.
  2. Specify the regions you want AWS to replicate the key to, and choose regions where Zoom is already present.
  3. Configure the IAM access policy for this key in each region/KMS.

If the organization wants to deactivate encryption/decryption, the key can be disabled from the AWS portal or access can be restricted by modifying the IAM access policy.

AWS can also automate annual key rotation:

  1. New key material is created.
  2. Material is automatically replicated to all KMSes.
  3. The new material is activated while the old key material is deactivated (but available for decryption).

The key’s Id and IAM policy stays the same in this case. The prior key material is still maintained to allow for decryption of already encrypted assets (customer managed key does not re-key the assets with the new key).

This automates most key management tasks. It does not allow for key deletion or deactivation of specific key material though.

How to use manual key management

For more control, an organization can use manual rotation:

  1. Organization creates a new multi-region-key (MRK) and replicates it to multiple regions, then sets up the key policy.
  2. Organization updates the Zoom customer managed key configuration to use the Key Id of the new MRK.
  3. Organization revokes encryption access from the old MRK in the AWS portal so that it can only be used for decryption.

How to use external HSM key management

If an organization prefers to generate and backup its own keys, the organization can set up its own HSM, then create an empty multi-region key (MRK) and load it with the organization's HSM key in the primary KMS. The organization would then load its replicas and activate the key the same as the manual method.