While Team Chat messages in-transit between users and the Zoom cloud are encrypted by default, advanced chat encryption facilitates more secure Zoom Team Chat messaging between Zoom users. By default, Team Chat messages are transmitted between the user's device and the Zoom cloud using TLS 1.2 with Advanced Encryption Standard (AES) 256-bit algorithm with server-side generated keys. With advanced chat encryption enabled, keys are generated by the user’s device and shared only with the other chat participants' devices.
While advanced chat encryption is an extra layer of privacy for your chats, some Team Chat functionality is limited by enabling this setting. Organizations and individual Zoom users should determine whether that functionality is needed before enabling advanced chat encryption. Zoom’s default chat encryption may provide organizations with the level of security to support multiple regulatory compliance frameworks, so advanced chat encryption may not be necessary (and/or recommended) for all customers. This should be used for specific high-security and sensitive-information environments that do not require the full functionality of Team Chat.
With advanced chat encryption enabled, it is possible for messages to be sent and then unrecoverable, due to the encryption keys being deleted upon uninstallation. Since the encryption key is only stored on the devices of recipients, Zoom is also unable to assist with recovery, so it is important for account admins to consider this possibility before enabling.
With advanced chat encryption enabled for your account, users and admins are unable to use certain Team Chat features, including, but not limited to, the following:
*Note: Inter-account encryption functionality can be contingent upon all chat participants having advanced chat encryption enabled by their account admin. Account admins are unable to see a chat user's message text in chat history where all chat users have advanced chat encryption enabled. When a user does not have this setting enabled, account admins for their account or others may be able to see their message text in chat history, including accounts where the setting is enabled. However, channels or group chats initiated by a user with advanced chat encryption enabled will extend advanced chat encryption to an external user's messages regardless of their settings. Learn more about the effect of Zoom Team Chat settings on inter-account communications.
By default, Zoom uses TLS to encrypt in-transit Team Chat messages between users and the Zoom Cloud. Zoom also encrypts at-rest Team Chat messages stored within the Zoom Cloud. Advanced chat encryption uses a device generated and stored key to encrypt messages between all users in a chat, and then additionally encrypts these messages in-transit between users and the Zoom Cloud using TLS.
When advanced chat encryption is enabled:
When advanced chat encryption is disabled:
Note: Admins can disable ACE for their existing and new chats and channels, allowing users to instantly benefit from additional team chat functionality. When ACE is disabled, new messages sent in existing chats and channels are no longer encrypted via ACE. For existing users who had previously disabled ACE, the existing chats and channels that remained ACE-encrypted are unaffected. Additionally, admins can request to remove ACE from these existing encrypted chats and channels through a support ticket.
To enable the advanced chat encryption for all members of your organization:
After enabling advanced chat encryption, chats in the Zoom desktop app and mobile app tab will display a padlock icon to indicate that advanced chat encryption is enabled.
Users will not see the encrypted chat until they open Zoom. Notifications, including those on the lock screen, will state that they have received an encrypted chat message.
When using advanced chat encryption, there may be situations where a sent message cannot be decrypted and viewed. This is often due to both users not being online at the same time and thus unable to share the key used to decrypt the message.
To resolve such an issue, ensure both users are online, so that the encryption key can be automatically shared between them and the message decrypted.
It is also possible for the encryption key to be lost, resulting in any advanced chat encrypted messages becoming unrecoverable. For instance, if a message is sent but then the recipient uninstalls the Zoom app before the message is decrypted and viewed, then the encryption key that was used to encrypt the message is lost and cannot be recovered. However, chat messages are only lost if all parties with access to the message lose their encryption keys. As long as a party is still online with access to the messages, the other parties can regain their access.
To disable advanced chat encryption for all members of your organization:
Notes for preparing to disable ACE:
Messages sent prior to disabling ACE will remain unchanged and continue to be encrypted with advanced chat encryption. Messages in both existing and newly created chats and channels will be encrypted using enhanced encryption, as described in the "Differences when advanced chat encryption is enabled and disabled" section above.
This change will be mostly transparent to users, allowing them to view previous messages as they did before. However, once ACE is disabled, certain feature limitations, as outlined in the limitations section above, will be removed.
Admins can disable ACE on their account, allowing users to instantly benefit from additional team chat functionality. After ACE is disabled, new messages sent in new and existing chats and channels are no longer encrypted via ACE. Messages shown in the chat history report, legal hold, and returned via API will no longer show as "encrypted message", and admins will see the full message contents in these reports. Any messages sent while ACE was still enabled on the account will continue to return as "encrypted message" in the chat history and legal hold reports, and APIs.
If admins would like to test the experience prior to disabling ACE for the entire account, they can submit a support ticket to request enabling a selective mode experience. Once this is enabled on the account, the admin will see a new option under the Enable advanced chat encryption toggle to choose Selective - default on. This will allow the admin to disable ACE for a specific channel in the admin portal to test the messaging experience, APIs, and chat history exports for messages in that specific channel. After enabling Selective - default on, to disable ACE for a specific channel, go to the Channel Management page, select a channel to edit, then under Advanced chat encryption, deselect the option for enabled advanced chat encryption.
Advanced Chat Encryption adds an extra layer of protection but also limits certain features, including message archiving, data loss prevention (DLP), message editing, AI capabilities, translation features, and more.