Using Device Managed Encryption

Zoom's Device Managed Encryption is designed to help protect users' data by ensuring that only authorized users’ devices have the keys to decrypt it. Device Managed Encryption can be contrasted with other encryption types where Zoom holds the keys to allow server-side processing to provide features like efficient searches, cloud recordings, or AI Companion. Device Managed Encryption requires users to manage authorization for their own devices (and cryptographic keys), enhancing security against potential server compromises.

With Zoom’s Device Managed Encryption:

• Data is encrypted with keys known only to authorized users’ devices. In some cases, Zoom servers might be performing the encryption, so they will have access to the data, even if temporarily.
• Users must approve new devices manually before they can access previously encrypted data.
• Loss of all authorized devices can lead to permanent data loss, mitigated by backup keys and escrow services.

Currently, Device Managed Encryption is available for Restricted voicemails for Zoom Phone and Zoom Mail Service. End-to-end encryption is a stronger variant where only the sender and recipient (and their account administrators if escrow is in use) can access the data, without temporary server access, offering enhanced security over Device Managed Encryption.

This article covers:

• How to get started with Device Managed Encryption
  • Access the Devices & Activity details on any device
  • Approve a new device as an end-user
  • Remove an approved device as an end-user
• How to manage backup keys

Prerequisites for using Device Managed Encryption

• Device Managed Encryption enabled for the account
• Zoom desktop app
  • Windows: 5.12.0 or higher
  • macOS: 5.12.0 or higher
  • Linux: 5.12.0 or higher

How to get started with Device Managed Encryption

To start using Device Managed Encryption, the Restricted voicemails feature for Zoom Phone or Zoom Mail Service must be enabled at the account level. Once Device Managed Encryption is enabled for a specific user, their Zoom desktop app will notify them and generate the encryption keys necessary to use the feature. This happens as each device comes online, or as the user starts to use the relevant features for the first time on that device.

In particular, for the user’s first device to do this, the following happens:

• Users are prompted with the Devices & Activity pop-up window. This pop-up window has two sections:
  • Devices: This section shows all the devices that can access the voicemails. When setting up the first device, there will only be one device listed. The user should recognize all devices in the list.
    Note: If the admin has enabled Escrow, then a device called Admin Device is listed. The Admin Device does not directly correspond to a single physical device but informs the user that their account’s escrow administrators have access to the user’s encrypted data, and can help the user recover data if they lose their devices.
  • Account: This section shows the fingerprint details of the devices that the user is logged into along with the fingerprint of the Admin Device. The fingerprint can be used to validate the authenticity of a device that is stored in the list.
    This section also shows the phone numbers, extensions, and email addresses that belong to the user.
• Click Save to save the device and account information.

Access the Devices & Activity details on any device

The user can access the Devices & Activity details on any of their devices:

1. Sign in to the Zoom desktop app.
2. In the top-right corner, click your profile picture or initials.
3. Click Settings.
4. In the navigation menu, click Profile.
5. Click Device Management for Encryption.
   A pop-up window will appear.
6. In the Devices & Activity window, verify your device’s details, then click Save.

As the user starts using their other devices, the newer devices will also be added to the Devices & Activity list, generate their own keys, and require approval from one of the user’s older devices to gain access to previously encrypted data.

Approve a new device as an end-user

When the user logs in to Zoom on a new device for the first time (or on an existing device after a feature leveraging Device Managed Encryption has been enabled for that user), this new device immediately generates the necessary encryption keys. It will immediately be able to send and receive new data using Device Managed Encryption. However, the device must be approved by an existing device before it can access previously encrypted data.

When the user signs in to a new device, the Devices & Activity pop-up window is displayed on all existing devices.

1. Under the Devices & Activity pop-up window, view the new device under the Review Activity section.
2. Ensure that the device that is being approved is the correct one (the fingerprint can be checked for additional verification).
3. Click Save.
4. If the Devices & Activity window does not appear, access this section by completing the following steps:
   1. In the top-right corner of the Zoom desktop app, click your profile picture or initials.
   2. Click Settings.
   3. In the navigation menu, click Profile.
   4. Click Device Management for Encryption.

Once the user clicks Save, the existing device will share the encrypted data it can access with the newer device.

Note: Each device can only share access to previously encrypted data up to the date and time it can decrypt. For each device in the Devices & Activity list, the information dialog box will display the Data access, which shows the earliest date and time a device can decrypt data. Approving a new device upgrades its Data access to match that of the approving device.

In some cases, additional approvals from devices with the oldest data access might be needed for new devices to access all encrypted data. If these older devices are unavailable and backup keys or escrow are not set up, data may be permanently lost.

Note: When approving new devices, the user can check that the new devices are approved and the old devices show the same user fingerprint in order to prevent some sophisticated attacks. If the fingerprints are not the same, the user should not perform the approval and instead revoke the new devices.

Remove an approved device as an end-user

If a device is lost, stolen, or decommissioned, it must be removed from the approved device list so that it can no longer be used to access newly generated encrypted content.

1. Sign in to the Zoom desktop app.
2. In the top-right corner, click your profile picture or initials.
3. Click Settings.
4. In the navigation menu, click the Profile tab.
5. Click Device management for encryption.
   A pop-up window will appear.
6. In the Devices & Activity window, deselect the device that needs to be removed.
7. Click Save.

How to manage backup keys

Backup keys are short alphanumeric strings that the user can generate, using one of their Zoom app devices, and use to regain access to their data if their devices are unavailable. 

Each backup is treated like an additional user device. It is listed in the Devices & Activity section and can be revoked if lost or stolen. Initially, each backup key has as much access to encrypted data as the device that generated it (i.e. it has the same Data access value); but, as with regular devices, it can be approved using an older device to extend its access.

Note: If escrow is in place, escrow administrators can prevent their users from creating additional backup keys if desired.

To use a backup key to grant a device access to encrypted data, a user can:

1. Sign in to the Zoom desktop app.
2. In the top-right corner, click your profile picture or initials.
3. Click Settings.
4. In the navigation menu, click the Profile tab.
5. Click Device management for encryption.
   A pop-up window will appear.
6. At the bottom of the Devices & Activity window, click from the following options:
   • Add key: Create a new backup key.
     1. Store this key somewhere safe. You could write it down on paper, add it to your password manager, or otherwise somewhere on your computer. For your convenience, there is the option to click the Copy icon to copy the backup key to your clipboard.
        Notes:
        • After the new backup key window closes, you will not be able to view this key again. You can generate more backup keys later.
        • You might need your backup key if your device is lost, stolen, broken, or otherwise unavailable. We recommend against storing a single copy of the backup key locally on that device.
     2. Click I saved my backup key to close the window.
        The new backup key will be displayed in the Devices & Activity window list.
   • Enter key: Enter a backup key to access encrypted emails or restricted voicemails on this device. This extends the device’s access to that of the backup key you entered.
7. Click Save.