Managing escrow for Device Managed Encryption

Zoom's Device Managed Encryption is designed to protect users' sensitive data by encrypting it with keys only known to the authorized users’ devices. For example, some of the data in Zoom Mail Service and Restricted voicemails is encrypted with this technology. However, as detailed below, there are cases where an account administrator requires access to all of their account users’ data. Escrow allows administrators to recover their users’ data encrypted with Device Managed Encryption without giving the Zoom server access. When this feature is enabled, it requires account members to share their cryptographic keys by encrypting them for a set of designated escrow administrators for their account.

Escrow management can be performed on the Zoom web portal, but most operations (e.g. adding an escrow device, helping a user recover their data, etc.) must be performed on a device that has Zoom installed and is signed in to an account with escrow admin permissions, as these operations will have to be confirmed on the Zoom desktop app.

Learn more about the technical details of this feature in Section 3.8 of the Zoom Cryptography Whitepaper and using Device Managed Encryption.

Requirements for Escrow for Device Managed Encryption

Business or Enterprise account
Account owners and admins with Escrow permissions
For escrow for Restricted voicemails: Zoom Phone plan with a Power Pack license

Important use of escrow
Information for escrow administrators
How to enable Escrow
How Escrow admins can add their devices for Escrow
How to authorize additional Escrow admin devices
- Approve additional Escrow admin devices
How to add additional Escrow admins
How Escrow admins can help users access encrypted data
How admins can access escrowed data

Important use of escrow

There are some scenarios in which escrow may be required. In particular, account administrators often need access to their account’s user data for a variety of reasons:

Some organizations (such as financial) have operational and regulatory obligations to archive communications.
Users might accidentally lose access to all their devices and backup keys, and need a way to recover their encrypted communications.
For business continuity if users leave an organization.

Information for escrow administrators

For the system to function properly and to avoid data loss, escrow administrators must not lose access to their cryptographic keys, as those are necessary to recover their account users’ data. When enabling escrow, IT administrators who act as escrow administrators should make one or more backup keys (as prompted in the user interface). These backup keys can be written on paper, saved in a password manager, or otherwise kept safe. This will allow administrators to regain access to their account (and all the escrowed data) if all the administrator's physical devices are lost.

Note: If backup keys are lost, organizations risk permanently losing escrowed data.

Once escrow is enabled, as the user’s devices are online, the devices will encrypt the user’s cryptographic keys the devices can access for the escrow administrators. Until this happens, the escrow administrators will not have access to this data, even if escrow has been enabled for the account. Where possible, escrow should be enabled before using features, such as Zoom Mail Service or Restricted voicemails, which rely on Device Managed Encryption, so that all the account’s data is automatically backed up and the escrow administrators receive the encryption keys as soon as they are generated.

If escrow is set up after a feature relying on Device Managed Encryption has been in use for a while, there could be gaps in data covered by escrow, resulting in permanent data loss and an inability to fulfill data requests. Administrators are responsible for ensuring that all account users are online using their oldest device to complete this sharing process.

How to enable Escrow

Enabling Escrow for your account allows your authorized admins to have access to the account user’s encryption keys. It is strongly recommended to enable escrow before using features relying on Device Managed Encryption to prevent losing data.

Note: Currently, the escrow feature allows backing up data for products leveraging Device Managed Encryption, such as Restricted voicemails and Zoom Mail Service. To enable it, the account must be using one of those products.

Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
In the navigation menu, click Advanced, then Security.
Under the Security section, under Device Managed Encryption, select the Escrow checkbox.
Note: Once activated, this setting cannot be turned off to avoid potential data loss. If you want to deactivate this policy for your account, contact Zoom Support for assistance.
Select any of the following checkboxes:
- Contact for Escrow device approved: Enter the email addresses of your admin(s) responsible for approving other admins’ devices.
  The system will display a guideline for the newer admins to follow on pending approval devices so they can be approved.
- Contact for users device approved: Enter the email addresses of your admin(s) that users can contact to recover their devices when they are locked out.
  The system will display a guideline for them to follow on devices that don’t have access to email or voicemail to get them approved.
- Allow users to create backup keys: Allow users to create their own backup keys to recover data on their new devices.
  Note: This is selected by default but can be unselected. Only an admin with Escrow access can manage this setting.
Click Save.

Before escrow starts being functional, admins must generate a backup key and enroll the first device. Once this step is completed, users will be prompted to escrow their keys.

How Escrow admins can add their devices for Escrow

To add a device, admins need to sign in to the Zoom desktop app. Approved escrow devices can later be used to recover your users’ data.

Sign in to the Zoom web portal.
In the navigation menu, click Profile.
Under Sign In, click Add My Escrow Device, to add your devices to escrow.
You will be directed to the Zoom desktop app. In the Zoom desktop app, an Escrow Devices & Activity window will appear.
In the Escrow Devices & Activity window, identify your device, then click Save to approve it.
If this is your first escrow device, the New Backup Key window will display.
Note: Users in your account will view the Devices & Activity window when they sign in to their Zoom apps and will need to approve escrow for their devices once it is enabled for your entire account or sites as described in the following sections.
In the New Backup Key window, identify your keys, then click Copy to save them somewhere safe.
Click I saved my backup key.
Note: Escrow devices may be revoked if they are no longer necessary or if there is a potential compromise. It is mandatory to retain at least one unrevoked device per user account.

Notes:

After enabling escrow, admins can securely communicate their public fingerprint (available on the device's screen) to organization users. The same fingerprint will appear on the user's device when it begins the escrow process, and the user should verify that the fingerprints match. This procedure prevents impersonators from pretending to be escrow admins to harvest user data. Note that whenever the admin adds or removes any devices to their account, the fingerprint changes.
Make sure to store your backup keys securely to enable account recovery. Please do so to avoid permanent loss of escrowed data.

The first escrow device is implicitly approved. Subsequent devices would need to be approved by authorizing additional Escrow devices as an admin.

How to authorize additional Escrow admin devices

After escrow is enabled at the account level, users with escrow administrator permissions can add their devices to the set of escrow devices, which can later be used to recover other user’s data. After the first device is enrolled, access can be extended to other devices (also belonging to administrators with the proper permissions) by having one of the existing escrow devices approve/grant access to the new device.

You must sign in to the Zoom web portal to complete this.

Approve additional Escrow admin devices

Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
In the navigation menu, click Advanced, then Security.
Under Escrow, click Escrow Devices & Activity.
Note: You will see a pending notification for devices that need to be approved.
A pop-up window will appear.
In the security verification window, click Send Code.
Verify your email for the code and enter the code in the security verification window, then click Continue.
In the dialog window, click Open zoom.us.
Your Zoom desktop app will open the Escrow Devices & Activity window.
In the Escrow Devices & Activity window, identify the pending device(s), then do one of the following:
- Click Save to approve the device(s).
- Unselect the device(s), then click Save to disapprove.

How to add additional Escrow admins

It is possible to add additional Escrow admins to an account to ensure that multiple escrow admins can be used to retrieve data or devices if needed.

Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
Ensure that the admin you want to add has the role of an escrow admin.
In the navigation menu, click User Management then Roles.
Click the name of the role that will be assigned to the escrow admin.
Click the Role Settings tab.
Under Advanced Features, locate the Device Managed Encryption feature and ensure that this role has Edit access enabled.
Click Save Changes.
Click the Role Members tab.
Assign the user who will have Escrow admin privileges.

Once the user has escrow admin privileges, they can add their first device to Escrow as an admin to complete the process.

How Escrow admins can help users access encrypted data

If a user cannot access their older devices or backup keys, they can ask an escrow administrator to help recover their data by logging into a new device. Then they can request for the administrator to approve that device to grant it access to the user’s encrypted data. The administrator can help approve a user’s device as follows:

Note: Escrow administrators can confirm the fingerprint before helping the user recover their own data, to confirm they are sharing the data with the appropriate devices.

Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
In the navigation menu, click User Management then Users.
Click the Users tab.
Click the user email/name ID of the user that you want to manage.
Under Sign In, click Devices & Activity.
A dialog box will appear.
Note: This option will show a list of devices that have been approved. The option also provides the ability to remove approved devices that may be lost or stolen. Any devices that may be unrecognized should be removed.
In the box, click Open Zoom Meetings to confirm.
You will be directed to the Devices & Activity window in the Zoom desktop app.
In the window, manage devices by selecting (approving) or deselecting (removing) the device checkbox.
Click Save.
Selected devices will gain access to this device’s data. Remove devices you do not recognize or no longer use.

How admins can access escrowed data

Currently, Device Managed Encryption is available for Restricted voicemails for Zoom Phone and Zoom Mail Service. Escrow allows administrators to recover their users’ data encrypted with Device Managed Encryption.

Zoom Phone

After setting up escrow, you can allow emails and voicemail messages for your entire account to be encrypted using Device Managed Encryption.

Zoom Phone users can use Device Managed Encryption for voicemails to secure the voicemails. Device Managed Encryption allows voicemail to be encrypted with keys that are not accessible to Zoom servers. This voicemail can be decrypted only by the intended user recipient. This allows users to have additional security controls over their voicemails to maintain confidentiality. This functionality has to be enabled by administrators before it's available to users.

Shared line appearance, shared line group, call queue, or auto receptionist voicemails will not be encrypted but can still be played. Email-to-voicemail, transcriptions, and checking voicemails by dialing into the voicemail system or web are not available when this feature is enabled.

Note: This setting is only available with Zoom app version 5.12.0 or later.

Learn more about Restricted voicemails for Zoom Phone.

Zoom Mail

By default, email cannot be accessed by account admins, as only sending and receiving devices store the encryption key needed to decrypt the emails. However, customers who choose a custom domain will also have the option to set up key escrow on their account, which allows a designated escrow admin in an account to receive backup copies of cryptographic keys from all users in that account. Holding copies of these keys will let the escrow admin access all emails in the account, and can allow the admin to help users recover their messages after device loss or other IT failure.

Additionally, designated admins in an account that has opted to use the key escrow feature will have access to all emails in that account, even though those emails will remain encrypted and inaccessible to anyone without the required keys, including Zoom. When the email a user is about to send will be end-to-end encrypted, the user interface will indicate this.