Setting up advanced chat encryption

While Team Chat messages in-transit between users and the Zoom cloud are encrypted by default, advanced chat encryption facilitates more secure Zoom Team Chat messaging between Zoom users. By default, Team Chat messages are transmitted between the user's device and the Zoom cloud using TLS 1.2 with Advanced Encryption Standard (AES) 256-bit algorithm with server-side generated keys. With advanced chat encryption enabled, keys are generated by the user’s device and shared only with the other chat participants' devices.

While advanced chat encryption is an extra layer of privacy for your chats, some Team Chat functionality is limited by enabling this setting. Organizations and individual Zoom users should determine whether that functionality is needed before enabling advanced chat encryption. Zoom’s default chat encryption may provide organizations with the level of security to support multiple regulatory compliance frameworks, so advanced chat encryption may not be necessary (and/or recommended) for all customers. This should be used for specific high-security and sensitive-information environments that do not require the full functionality of Team Chat.

With advanced chat encryption enabled, it is possible for messages to be sent and then unrecoverable, due to the encryption keys being deleted upon uninstallation. Since the encryption key is only stored on the devices of recipients, Zoom is also unable to assist with recovery, so it is important for account admins to consider this possibility before enabling.

This article covers:

• Differences when advanced chat encryption is enabled and disabled
• Limitations after enabling advanced chat encryption
  • User
  • Admin
• How to enable advanced chat encryption
• Using advanced chat encryption
  • Troubleshooting failures to decrypt messages

Prerequisites for enabling and using advanced chat encryption

• A Paid Zoom account
• Account owner or admin privileges
• Zoom desktop app for Windows, macOS, or Linux: Global minimum version or higher
• Zoom mobile app for Android or iOS: Global minimum version or higher

Differences when advanced chat encryption is enabled and disabled

By default, Zoom uses TLS to encrypt in-transit Team Chat messages between users and the Zoom Cloud. Zoom also encrypts at-rest Team Chat messages stored within the Zoom Cloud. Advanced chat encryption uses a device generated and stored key to encrypt messages between all users in a chat, and then additionally encrypts these messages in-transit between users and the Zoom Cloud using TLS.

When advanced chat encryption is enabled:

• Data at rest: Chat messages are encrypted with keys generated and operated on chat participants' devices.
• Data in transit: Chat messages are encrypted using a device generated and stored key to encrypt messages between chat participants and also encrypted using TLS in transit between the user and the Zoom cloud.

When advanced chat encryption is disabled:

• Data at rest: Chat messages are encrypted by keys generated and operated by Zoom.
• Data in transit: Chat messages are encrypted using TLS in transit between the user and the Zoom cloud.

Note: Admins can disable ACE for their existing and new chats and channels, allowing users to instantly benefit from additional team chat functionality. When ACE is disabled, new messages sent in existing chats and channels are no longer encrypted via ACE. For existing users who had previously disabled ACE, the existing chats and channels that remained ACE-encrypted are unaffected. Additionally, admins can request to remove ACE from these existing encrypted chats and channels through a support ticket.

Limitations after enabling advanced chat encryption

With advanced chat encryption enabled for your account, users and admins are unable to use certain Team Chat features, including, but not limited to, the following:

User

• Team Chat features: 
  • Send animated GIFs
  • View files/images in the right-side panel (click More Actions  to display this panel)
  • Edit sent messages
  • View message previews in chat notifications
  • Bookmark chat messages
  • See link previews for chat messages with URLs
    Note: Link previews are disabled by default, but can be enabled by admins.
  • Send interactive cards when using a Team Chat App
    Note: Plain text is provided instead of the interactive card.
  • Setting a reminder for messages with advanced encryption
  • Schedule a meeting directly from a Team Chat group chat or channel
  • Archiving messages with a 3rd-party provider
  • 3rd-party file storage integrations
  • Message translation
• Meeting features:
  • Continuous meeting chat

Admin

• View message text in chat history
  Note: Admins can still see:
  • Metadata such as chat participants, file name, size, and the date/time of the message sent
  • Reactions to the messages
  • External messages received if advanced chat encryption is disabled in the external account*

*Note: Inter-account encryption functionality can be contingent upon all chat participants having advanced chat encryption enabled by their account admin. Account admins are unable to see a chat user's message text in chat history where all chat users have advanced chat encryption enabled. When a user does not have this setting enabled, account admins for their account or others may be able to see their message text in chat history, including accounts where the setting is enabled. However, channels or group chats initiated by a user with advanced chat encryption enabled will extend advanced chat encryption to an external user's messages regardless of their settings. Learn more about the effect of Zoom Team Chat settings on inter-account communications.

Note: When advanced chat encryption is enabled, admins can restrict certain file types from being shared. If a user attempts to share a restricted file type, the system will recognize and block or allow the file based on the configured permissions.

How to enable advanced chat encryption

To enable the advanced chat encryption for all members of your organization:

1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
2. In the navigation menu, click Account Management then Account Settings.
3. Click the Team Chat tab.
4. Under Security, click the Enable advanced chat encryption toggle to enable or disable it.
5. If a verification dialog displays, click Enable or Disable to verify the change.
6. (Optional) Select the check box to enable Enable hyperlink preview.
   Note: When generating link previews, the local Zoom app will detect the link in the sender's message before it is encrypted, and the preview will be shared between the sender and recipient. Only URLs are detected and they must begin with http:// or https:// followed by a non-empty space.
7. Click Save to confirm any changes.
   Advanced chat encryption will be applied to all chat messages sent by users on your account. Messages sent before this is enabled, or sent after this is disabled, are unaffected.

Using advanced chat encryption

After enabling advanced chat encryption, chats in the Zoom desktop app and mobile app tab will display a padlock icon to indicate that advanced chat encryption is enabled.

Users will not see the encrypted chat until they open Zoom. Notifications, including those on the lock screen, will state that they have received an encrypted chat message.

Notes:

• When advanced chat encryption is enabled, admins can restrict certain file types from being shared. If a user attempts to share a restricted file type, the system will recognize and block or allow the file based on the configured permissions.
• Admins can disable ACE for their existing and new chats and channels, allowing users to instantly benefit from additional team chat functionality. When ACE is disabled, new messages sent in existing chats and channels are no longer encrypted via ACE. For existing users who had previously disabled ACE, the existing chats and channels that remained ACE-encrypted are unaffected. Additionally, admins can request to remove ACE from these existing encrypted chats and channels through a support ticket.

Troubleshooting failures to decrypt messages

When using advanced chat encryption, there may be situations where a sent message cannot be decrypted and viewed. This is often due to both users not being online at the same time and thus unable to share the key used to decrypt the message.

To resolve such an issue, ensure both users are online, so that the encryption key can be automatically shared between them and the message decrypted.

It is also possible for the encryption key to be lost, resulting in any advanced chat encrypted messages becoming unrecoverable. For instance, if a message is sent but then the recipient uninstalls the Zoom app before the message is decrypted and viewed, then the encryption key that was used to encrypt the message is lost and cannot be recovered. However, chat messages are only lost if all parties with access to the message lose their encryption keys. As long as a party is still online with access to the messages, the other parties can regain their access.