Encryption for SIP/H.323 in Zoom

This post was most recently updated on July 22nd, 2022

The Zoom desktop and mobile clients encrypt content during transmission at the application layer by default using the TLS 1.2 protocol and the 256-bit AES GCM encryption algorithm to encrypt in-meeting and in-webinar presentations during transmission.

Participants joining Zoom by phone will be able to hear their audio during the call since Zoom’s data centers encrypt the audio before it is sent to the participants’ phone network.

It is possible for devices that use H.323 or SIP to join Zoom meetings to need to be encrypted. At the account or group level, as well as at the user level, this setting can be configured. In order for these devices to be able to join your Zoom meeting, encryption must also be enabled on their devices in order to do so, otherwise they will receive an error message and will not be able to join.

As a result of connections such as phone dial-in, unencrypted SIP/H.323 devices, or streaming via RTMP, it is possible to have a meeting that is only partially encrypted, causing meeting participants on supported devices to see a warning icon indicating that the meeting is only partially encrypted.

Zoom’s powerful 256-bit AES-GCM encryption ensures that every piece of shared content in your Zoom meetings is secure. As an additional means of protection, users are also able to enable end-to-end encryption (E2EE) as well. Meeting participants must join a meeting using the Zoom desktop client, Zoom mobile app, or Zoom Rooms in order to access end-to-end encryption, which limits some of the meeting features.

In this article, we will cover the following topics:

  • How to use the partially encrypted meeting warning
  • How to enable the SIP/H.323 endpoint encryption
    • Account
    • Group
    • User

Prerequisites for encrypting SIP/H.323 connections

To enable SIP/H.323 endpoint encryption

  • Whether you are looking for a free, pro, business, enterprise, education or API account, we have them all

To view the unencrypted connections warning

  • Zoom desktop client
    • Windows: 5.4.6 (59296.1207) or higher
    • macOS: 5.4.6 (59296.1207) or higher
    • Linux: 5.4.6 (59296.1207) or higher
  • Zoom mobile app
    • Android: 5.4.6 (812) or higher
    • iOS: 5.4.6 (59285.1207) or higher

How to use the partially encrypted meeting warning

You will be able to tell when the meeting is encrypted when you see a shield icon with a check mark on it when you are in a Zoom meeting. The shield icon with a yellow exclamation point will be visible instead of a green shield if there is a new endpoint joining that is not encrypted. There is an indication that end-to-end encryption is being used when you see the shield with the lock icon.

If you click the shield icon and then click the Exceptions icon next to Encryption, you will also be able to view details about unencrypted connections. Any connections that are unencrypted will be listed in this section.

How to enable the SIP/H.323 endpoint encryption

Account

You can configure the following options to force all users in the account to use encrypted third party endpoints (H323/SIP):
  1. As an administrator, you have access to editing the account settings in the Zoom web portal if you are signed in.
  2. Click on Account Management in the left navigation panel and then click on Account Settings in the right navigation panel.
  3. Make sure you check the Require Encryption for 3rd Party Endpoints (H323/SIP) box from the In Meeting (Basic) menu.
  4. Upon clicking the toggle, you will be able to enable the setting if it is disabled. It is important to verify the change by clicking Turn On if a verification dialog appears.
  5. The lock icon can be clicked once to make this setting compulsory for all users in your account. Then click Lock to confirm that the setting is mandatory for the entire account and to make it permanent.

Group

A group of users can be enabled for Require Encryption for 3rd Party Endpoints (SIP/H.323) by following the following steps:
  1. Ensure that you are logged in as an administrator with the privilege of editing groups on the Zoom web portal.
  2. Select User Management from the navigation panel, and then click Contacts and Channels . You can add contacts, create contact Groups from the drop-down menu.
  3. In the list of groups, click on the name of the appropriate group, and then click on the Settings tab.
  4. Make sure that it is enabled under the Require Encryption for 3rd Party Endpoint (SIP/H.323) option under the In Meeting (Basic) section.
  5. To enable the setting, you will need to click the toggle button if it is disabled. It is recommended that you turn on the change if a verification dialog appears.
    Note: Usually, if an option is grayed out, that means it has been locked on the account level and needs to be changed on the account level before it can be changed.
  6. (Optional) Once you have clicked the lock icon, you will have the option of making this setting mandatory for all users in the group. To confirm that the setting has been locked, click Lock.

User

For your own use, you can enable the requirement for 3rd party endpoints to encrypt traffic (SIP/H.323) by following these steps:
  1. The Zoom web portal can be accessed by logging into your account.
  2. Click on Settings in the navigation panel on the left side of the screen.
  3. It is recommended that you check the box known as Require Encryption for 3rd Party Endpoints (SIP/H.323) under In Meeting (Basic).
  4. Please note that if the setting is disabled, you will need to click the toggle button in order to enable it. The change can be verified by clicking Turn On if a verification dialog displays.
    Note: There is a possibility that the option has been locked either at the account level or at the group level if it is grayed out. In order to resolve this issue, you need to get in touch with your Zoom administrator.