Setting up Advanced CMK Chat Encryption and Client-side CMK Hybrid Chat Encryption

The Customer Managed Key (CMK) service allows organizations to provide and manage their own encryption keys for certain customer content stored in the Zoom Cloud. CMK Hybrid enhances Zoom’s CMK offering by providing more options to manage the encryption and decryption process on premises. Zoom Team Chat messages, for example, can be encrypted locally by the Zoom Workplace app (some Zoom cloud-based Team Chat functionalities will not be available as a result). With the Team Chat Hybrid Module for Zoom Node, organizations can deploy on-premise chat storage servers to be used with Zoom Team Chat.

In a standard Zoom Team Chat configuration, messages are transmitted between the user's device and the Zoom cloud using TLS 1.2 with Advanced Encryption Standard (AES) 256-bit algorithm in-transit. Customers who have Zoom Customer Managed Key (CMK) licensed and configured, can also enable additional client level encryption options to facilitate more secure Team Chat messaging between Zoom users with CMK. Once enabled, keys are generated and secured by CMK, either in the cloud (Advanced CMK Chat Encryption, ACCE) or on premises using CMK Hybrid (Client-side CMK Hybrid Encryption, CSE).

While these options are designed to provide additional privacy for your chats, some Team Chat functionality is limited by enabling this setting. Organizations should determine whether that functionality is needed and for what users before enabling it. Zoom’s default chat encryption may provide organizations with the level of security to support multiple regulatory compliance frameworks, so advanced encryption options may not be necessary (and/or recommended) for all customers. This should be used for specific high-security and sensitive-information environments that do not require the full functionality of Team Chat. While the CSE and ACCE options have similar functionality and limitations to advanced chat encryption, CSE and ACCE allow admins access to messages and is not limited to particular devices.

Learn more about Setting up Customer Managed Key.

Requirements for enabling and using ACCE and CSE

• A Zoom Enterprise Plus (or higher) or CMK Add-on license
• To keep certain internal data key management under organizational control using CSE, a Zoom CMK Hybrid license for each on-premises server (at least two for fault tolerance)
• Account owner or admin privileges to enable for certain groups of users
• Zoom desktop app for Windows, macOS, or Linux: Global minimum version or higher
• Zoom mobile app for Android or iOS: Global minimum version or higher

Limitations after enabling ACCE and CSE

With ACCE or CSE enabled for your account, users are unable to use certain Team Chat features, including, but not limited to, the following:

User

• Team Chat features:
  • Send animated GIFs
    Note: Even if the text is encrypted, any GIFs included in the message are retrieved from the GIF service. This retrieval requires an external request, which is not encrypted.
  • View files/images in the Resources tab
    
    of a chat or channel
  • Edit sent messages
  • View message previews in chat notifications
  • Bookmark chat messages
  • See link previews for chat messages with URLs
    Note: Link previews are disabled by default, but can be enabled by admins.
  • Send interactive cards when using a Team Chat App
    Note: Plain text is provided instead of the interactive card.
  • Setting a reminder for messages
  • Schedule a meeting directly from a Team Chat group chat or channel
  • Archiving messages with a 3rd-party provider requires the provider to support decryption
  • 3rd-party file storage integrations
  • Message translation
  • AI Companion features
• Meeting features:
  • Continuous meeting chat

Differences when client level encryption is enabled and disabled

By default, Zoom uses TLS to encrypt in-transit Team Chat messages between users and the Zoom Cloud. Zoom also encrypts at-rest Team Chat messages stored within the Zoom Cloud. Client level encryption options for CMK use a data key to encrypt messages between all users in a chat, and then additionally encrypts these messages in-transit between users and the Zoom Cloud using TLS. If an account has licensed and deployed CMK Hybrid, then internal chat channels use data keys managed by CMK Hybrid (CSE), otherwise the data keys are managed by CMK in the Zoom Cloud (ACCE).

When client level encryption is enabled:

• Data at rest: Chat messages are encrypted with data keys managed by either CMK (ACCE) or CMK Hybrid (CSEE)
• Data in transit: Chat messages are encrypted with data keys managed by CMK or CMK Hybrid and also encrypted using TLS in transit between the user and the Zoom Cloud.

When client level encryption is not enabled:

• Data at rest: Chat messages are encrypted by keys managed by Zoom or CMK.
• Data in transit: Chat messages are encrypted using TLS in transit between the user and the Zoom Cloud.

Notes:

• Inter-account encryption functionality. CSE only works for messages sent within the same Zoom account (intra-account). ACCE will work across accounts in Team Chat channels with external contacts and serves as the back-up protocol for an account withCSE enabled when users are communicating inter-account.
• Disabling client level encryption. Admins can disable client level encryption for their existing and new chats and channels, allowing users to instantly benefit from additional team chat functionality. When client level encryption is disabled, new messages sent in existing chats and channels are no longer encrypted on the client (but by TLS in transit). For existing users who had previously disabled client level encryption, the existing chats and channels that were encrypted on the client are unaffected.

How to enable or disable client level encryption

To enable ACCE and CSE client level encryption for all users in your account:

1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
2. In the navigation menu, click Advanced then Security.
3. Under Security, click the Allow users to use encryption on the Team Chat client toggle to enable or disable it.
   Client level encryption will be applied to all chat messages in channels created by users who have this setting enabled. Messages sent before this is enabled, or sent after this is disabled, are unaffected.

Using client level encryption once enabled

After enabling client level encryption, chats in the Zoom desktop app and mobile app tab will display a padlock icon to indicate that client level encryption is enabled.

Users will not see the encrypted chat until they open Zoom. Notifications, including those on the lock screen, will state that they have received an encrypted chat message.

Troubleshooting failures to decrypt messages

When using ACCE and CSE client level encryption, there may be situations where a sent message cannot be decrypted and viewed. This is often due to the Zoom client being unable to connect or authenticate with the CMK Hybrid server or if the customer's key is unavailable. A user has to make sure that they successfully log in to both Zoom and their organization's CMK Hybrid key connector server.

What to expect when disabling ACCE and CSE

User

Messages sent prior to disabling ACCE and CSE client level encryption will remain unchanged and continue to be encrypted. Messages in both existing and newly created chats and channels will be encrypted using standard encryption, as described in the section above.

This change will be mostly transparent to users, allowing them to view previous messages as they did before. However, once client level encryption is disabled, certain feature limitations, as outlined in the limitations section above, will be removed.

Note: If users disable their on-premises hybrid CMK infrastructure, messages encrypted with those keys will no longer be accessible.

Admin

Admins can disable ACCE and CSE client level encryption on their account, allowing users to instantly benefit from additional team chat functionality. After it is disabled, new messages sent in new and existing chats and channels are no longer encrypted using these advanced protocols and will default to using standard Zoom Team chat encryption protocols.

Why consider disabling client level encryption?

Client level encryption adds an extra layer of protection but may also limit certain features, including message archiving, data loss prevention (DLP), message editing, AI Companion capabilities, translation features, and more.