Setting up advanced chat encryption

While Team Chat messages in-transit between users and the Zoom cloud are encrypted by default, advanced chat encryption facilitates more secure Zoom Team Chat messaging between Zoom users. By default, Team Chat messages are transmitted between the user's device and the Zoom cloud using TLS 1.2 with Advanced Encryption Standard (AES) 256-bit algorithm with server-side generated keys. With advanced chat encryption enabled, keys are generated by the user’s device and shared only with the other chat participants' devices.

While advanced chat encryption is an extra layer of privacy for your chats, some Team Chat functionality is limited by enabling this setting. Organizations and individual Zoom users should determine whether that functionality is needed before enabling advanced chat encryption. Zoom’s default chat encryption may provide organizations with the level of security to support multiple regulatory compliance frameworks, so advanced chat encryption may not be necessary (and/or recommended) for all customers. This should be used for specific high-security and sensitive-information environments that do not require the full functionality of Team Chat.

With advanced chat encryption enabled, it is possible for messages to be sent and then unrecoverable, due to the encryption keys being deleted upon uninstallation. Since the encryption key is only stored on the devices of recipients, Zoom is also unable to assist with recovery, so it is important for account admins to consider this possibility before enabling.

Requirements for enabling and using advanced chat encryption

• A Paid Zoom account
• Account owner or admin privileges
• Zoom desktop app for Windows, macOS, or Linux: Global minimum version or higher
• Zoom mobile app for Android or iOS: Global minimum version or higher

Limitations after enabling advanced chat encryption

With advanced chat encryption enabled for your account, users and admins are unable to use certain Team Chat features, including, but not limited to, the following:

User

• Team Chat features:
  • Send animated GIFs
  • View files/images in the Resources tab of a chat or channel
  • Edit sent messages
  • View message previews in chat notifications
  • Bookmark chat messages
  • See link previews for chat messages with URLs
    Note: Link previews are disabled by default, but can be enabled by admins.
  • Send interactive cards when using a Team Chat App
    Note: Plain text is provided instead of the interactive card.
  • Setting a reminder for messages with advanced encryption
  • Schedule a meeting directly from a Team Chat group chat or channel
  • Archiving messages with a 3rd-party provider
  • 3rd-party file storage integrations
  • Message translation
• Meeting features:
  • Continuous meeting chat

Admin

• View message text in chat history
  Note: Admins can still see:
  • Metadata such as chat participants, file name, size, and the date/time of the message sent
  • Reactions to the messages
  • External messages received if advanced chat encryption is disabled in the external account*

*Note: Inter-account encryption functionality can be contingent upon all chat participants having advanced chat encryption enabled by their account admin. Account admins are unable to see a chat user's message text in chat history where all chat users have advanced chat encryption enabled. When a user does not have this setting enabled, account admins for their account or others may be able to see their message text in chat history, including accounts where the setting is enabled. However, channels or group chats initiated by a user with advanced chat encryption enabled will extend advanced chat encryption to an external user's messages regardless of their settings. Learn more about the effect of Zoom Team Chat settings on inter-account communications.

Differences when advanced chat encryption is enabled and disabled

By default, Zoom uses TLS to encrypt in-transit Team Chat messages between users and the Zoom Cloud. Zoom also encrypts at-rest Team Chat messages stored within the Zoom Cloud. Advanced chat encryption uses a device generated and stored key to encrypt messages between all users in a chat, and then additionally encrypts these messages in-transit between users and the Zoom Cloud using TLS.

When advanced chat encryption is enabled:

• Data at rest: Chat messages are encrypted with keys generated and operated on chat participants' devices.
• Data in transit: Chat messages are encrypted using a device generated and stored key to encrypt messages between chat participants and also encrypted using TLS in transit between the user and the Zoom cloud.

When advanced chat encryption is disabled:

• Data at rest: Chat messages are encrypted by keys generated and operated by Zoom.
• Data in transit: Chat messages are encrypted using TLS in transit between the user and the Zoom cloud.

Note: Admins can disable ACE for their existing and new chats and channels, allowing users to instantly benefit from additional team chat functionality. When ACE is disabled, new messages sent in existing chats and channels are no longer encrypted via ACE. For existing users who had previously disabled ACE, the existing chats and channels that remained ACE-encrypted are unaffected. Additionally, admins can request to remove ACE from these existing encrypted chats and channels through a support ticket.

How to enable advanced chat encryption

To enable the advanced chat encryption for all members of your organization:

1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
2. In the navigation menu, click Account Management then Account Settings.
3. Click the Team Chat tab.
4. Under Security, click the Enable advanced chat encryption toggle to enable or disable it.
5. If a verification dialog displays, click Enable to verify the change.
6. (Optional) Select the checkbox to enable Enable hyperlink preview.
   Note: When generating link previews, the local Zoom app will detect the link in the sender's message before it is encrypted, and the preview will be shared between the sender and recipient. Only URLs are detected and they must begin with http:// or https:// followed by a non-empty space.
7. Click Save to confirm any changes.
   Advanced chat encryption will be applied to all chat messages sent by users on your account. Messages sent before this is enabled, or sent after this is disabled, are unaffected.

Using advanced chat encryption once enabled

After enabling advanced chat encryption, chats in the Zoom desktop app and mobile app tab will display a padlock icon to indicate that advanced chat encryption is enabled.

Users will not see the encrypted chat until they open Zoom. Notifications, including those on the lock screen, will state that they have received an encrypted chat message.

Troubleshooting failures to decrypt messages

When using advanced chat encryption, there may be situations where a sent message cannot be decrypted and viewed. This is often due to both users not being online at the same time and thus unable to share the key used to decrypt the message.

To resolve such an issue, ensure both users are online, so that the encryption key can be automatically shared between them and the message decrypted.

It is also possible for the encryption key to be lost, resulting in any advanced chat encrypted messages becoming unrecoverable. For instance, if a message is sent but then the recipient uninstalls the Zoom app before the message is decrypted and viewed, then the encryption key that was used to encrypt the message is lost and cannot be recovered. However, chat messages are only lost if all parties with access to the message lose their encryption keys. As long as a party is still online with access to the messages, the other parties can regain their access.

How to disable advanced chat encryption

To disable advanced chat encryption for all members of your organization:

1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
2. In the navigation menu, click Account Management then Account Settings.
3. Click the Team Chat tab.
4. Under Security, click the Enable advanced chat encryption toggle to disable it.
5. If a verification dialog displays, click Disable to verify the change.
6. Click Save to confirm any changes.

Notes for preparing to disable ACE:

• Disabling ACE removes encryption for new messages in chats and channels. Messages in reports and APIs will show full content instead of "encrypted message."
• Messages sent while ACE was enabled will still show as "encrypted message" in reports and APIs.
• [Optional]: Admins can request a selective mode experience via support ticket to test ACE on specific channels before fully disabling.

What to expect when disabling advanced chat encryption

User

Messages sent prior to disabling ACE will remain unchanged and continue to be encrypted with advanced chat encryption. Messages in both existing and newly created chats and channels will be encrypted using enhanced encryption, as described in the "Differences when advanced chat encryption is enabled and disabled" section above.

This change will be mostly transparent to users, allowing them to view previous messages as they did before. However, once ACE is disabled, certain feature limitations, as outlined in the limitations section above, will be removed.

Admin

Admins can disable ACE on their account, allowing users to instantly benefit from additional team chat functionality. After ACE is disabled, new messages sent in new and existing chats and channels are no longer encrypted via ACE. Messages shown in the chat history report, legal hold, and returned via API will no longer show as "encrypted message", and admins will see the full message contents in these reports. Any messages sent while ACE was still enabled on the account will continue to return as "encrypted message" in the chat history and legal hold reports, and APIs.

If admins would like to test the experience prior to disabling ACE for the entire account, they can submit a support ticket to request enabling a selective mode experience. Once this is enabled on the account, the admin will see a new option under the Enable advanced chat encryption toggle to choose Selective - default on. This will allow the admin to disable ACE for a specific channel in the admin portal to test the messaging experience, APIs, and chat history exports for messages in that specific channel. After enabling Selective - default on, to disable ACE for a specific channel, go to the Channel Management page, select a channel to edit, then under Advanced chat encryption, deselect the option for enabled advanced chat encryption.

Why consider disabling ACE?

Advanced Chat Encryption adds an extra layer of protection but also limits certain features, including message archiving, data loss prevention (DLP), message editing, AI capabilities, translation features, and more.