End-to-end (E2EE) encryption for Zoom meetings
For the first time, meetings can now be encrypted from end-to-end (E2EE). Administrators and account owners can choose to encrypt all meetings end-to-end, providing additional security when necessary. All participants of a meeting who want end-to-end encryption must connect from the Zoom desktop client, Zoom mobile app, or Zoom Room in order to have the meeting enabled.
When this setting is enabled, the following features will also be disabled:
- Join before host
- Cloud recording
- Live streaming
- Live transcription
- Breakout Rooms
- Polling
- Zoom Apps
- Meeting reactions*
- 1:1 private chats*
*Note: - E2EE meetings are now supported in all four versions of software- desktop, mobile, and Zoom Rooms- version 5.5.0 and up.
The Zoom Web SDK will allow third-party clients using the Zoom Web SDK to leverage the Zoom Web SDK in the future, but users will not be able to join via telephone, SIP/H.323 devices, on-premise configurations, the Zoom web client, or Lync/Skype clients, since their endpoints cannot be encrypted end-to-end.
There is a limit of 200 participants in E2EE sessions, regardless of a Large Meeting license.
Contents
- 1 The pre-requisites for enabling end-to-end (E2EE) encryption for meetings
- 2 How to make sure your meetings are encrypted end-to-end
- 3 What is end-to-end encryption and how can you make it work for your meetings?
- 4 Questions that are frequently asked by our customers
- 4.1 What are the ways in which Zoom provides end-to-end encryption?
- 4.2 What are the situations in which I would use E2EE?
- 4.3 What are the features that a Zoom meeting include? Am I able to access them all in my regular Zoom meetings?
- 4.4 What are the options for end-to-end encryption for Zoom free users?
- 4.5 What is the difference between Zoom’s enhanced GCM encryption and this?
- 4.6 The following are some questions I need to ask myself to ensure that my meetings are using end-to-end encryption.
- 4.7 What is the best way for account owners or admins to verify whether or not a meeting is encrypted from end to end?
- 4.8 What steps will you take to maintain the safety and security of the platform in the future?
- 4.9 When will the rest of the timeline for E2EE be completed?
The pre-requisites for enabling end-to-end (E2EE) encryption for meetings
- for the Zoom desktop client
- Windows: 5.4.0 or higher
- macOS: 5.4.0 or higher
- Linux: 5.4.0 or higher
- for the Zoom mobile app
- Android: 5.4.0 or higher
- iOS: 5.4.0 or higher
- Zoom Rooms for Conference Room
- PC: 5.2.2 or higher
- macOS: 5.2.2 or higher
- Appliances: 5.2.2 or higher
Notes:
- This means you will not be able to leverage the Zoom Web SDK from third-party clients for the Zoom web client. The developer documentation for the Zoom Web SDK can provide more information on this.
- Those joining through a phone call, SIP/H.323 devices on premise, or Lync/Skype clients will not be able to use end-to-end encryption as these endpoints cannot be encrypted.
- Free meeting hosts who wish to enable end-to-end encryption will need to select an SMS verification code sent to their phone number in order to complete that process. All other attendees will not need to provide any authentication information.
How to make sure your meetings are encrypted end-to-end
It’s recommended that you only use end-to-end encryption for meetings that require greater protection, since the feature is still in technical preview and disables several other features. You can decide which encryption method you want to use after enabling E2EE.
Account
You will need the following steps in order to enable End-to-End (E2EE) encrypted meetings for all users on the account:
- Obtain the permission to edit account settings by signing in to the Zoom web portal as an account administrator.
- Click on Account Management then Click on Account Settings in the left navigation panel to edit the account settings.
- Choose Meetings from the left navigation panel.
- If you go to Security, make sure end-to-end encryption is enabled under Allow use of end-to-end encryption.
- Click on the toggle to enable the setting if it is disabled. After the change has been verified, you will be prompted to click Turn On.
- The lock icon on the left makes this setting mandatory for all users in your account; click on it to confirm your decision and then click Lock to make it mandatory.
- Choosing the Default encryption option under Security is the first step.
- The next step is to click Save.
Note: - In view of the limitations of E2EE, we recommend that, as a default encryption setting, enhancement should be used and, for meetings in which additional protection is required, end-to-end encryption should be used.
Group
Note:
As of August 21, 2021, the Group Management page has been renamed to Groups if you have signed up for a new Zoom account after that date, or if you are using the New Admin Experience enabled for your account.
Encrypted meetings end-to-end (E2EE) are enabled for a group of users when the following requirements are met:
- Log in to the Zoom web portal as an administrator with the permissions to edit groups from the Zoom web portal.
- Select User Management then Go to Group Management from the navigation panel.
- From the list of groups, select the appropriate group name, then click the Settings tab.
- On the Meetings tab, select the appropriate meeting.
- You can do this by checking the box next to Security that states Allow use of end-to-end encryption.
- Click on the toggle to enable the setting if it is disabled. Click Turn On in the confirmation dialog box if it displays after you click Enabled.
Note: - In the case of grayed out options, they are locked at a level of the account and so must be changed at that level.
- To make this setting mandatory for all users within the group, it is advisable to select the lock icon (optional) when you wish to do so. Click Lock to start the setting and then click OK to confirm the setting.
- You will be able to choose the Default encryption type under Security.
- Click Save.
Note: - As a consequence of the limitations of E2EE, we recommend that for meetings where additional protection is needed, be sure to use Enhanced encryption as the default encryption type and to use End-to-end encryption.
User
The following steps must be followed in order to enable your own End-to-End (E2EE) encrypted meetings:
- You can sign in to Zoom’s web portal by using your account information.
- Once you are signed in, select the Settings link on the right side of the screen.
- Navigate to the Meetings tab on the left.
- In the Security section, ensure that the Allow use of end-to-end encryption option is turned on.
- The setting can be enabled by clicking the toggle if it is disabled. When a verification dialog appears, click Turn On to confirm that the setting has been changed.
Note: - Grayed out options mean either that the option has been locked for the group or that the account has been locked. If you need assistance with this, please contact the Zoom administrators.
- Click on the Security tab and select the Default encryption method.
- Click on the Save button.
Please note: - The limitations of E2EE necessitate that, in meeting situations in which additional security protection is required, Enhanced encryption is used as the default encryption, and end-to-end encryption for meetings in which it is necessary.
What is end-to-end encryption and how can you make it work for your meetings?
The green shield icon should be visible in the upper left corner of the meeting window once you have joined the meeting.
It is also possible for the meeting host to read out the security code aloud to all participants, so they can confirm that their security codes are the same.
Questions that are frequently asked by our customers
What are the ways in which Zoom provides end-to-end encryption?
Using public key cryptography for its E2EE offering, Zoom uses a high level of security. It is also important for you to know that the keys for each Zoom meeting are generated by the machines of the participants, and not by Zoom’s servers. Due to the fact that Zoom’s servers never have access to the key to decrypt the encoded data transmitted through Zoom’s servers, the encoded data transmitted through Zoom’s servers are indecipherable by Zoom. The strategy used in this key management system is the same as that employed by nearly all end-to-end encryption platforms today.
What are the situations in which I would use E2EE?
In order to enhance privacy and data protection during meetings, E2EE is the best choice since it adds an additional layer to mitigate risk and protect meeting content that is sensitive. Although Zoom provides additional security with E2EE, there are some limitations with the first generation E2EE version (more on that below). If Zoom users do not need these capabilities they can disable E2EE for their meetings as soon as they determine whether they need them.
What are the features that a Zoom meeting include? Am I able to access them all in my regular Zoom meetings?
I’m not able to do that right now. By enabling Zoom’s E2EE version in your meetings, you will be able to join before the host, capture the meeting on a cloud, stream it live, get a live transcription of the conversation, use Breakout Rooms, participate in polls, and take part in 1:1 private chat* during your meetings.
*Note:
As of version 5.5.0, these features are available to desktop, mobile, and Zoom Room customers for E2EE meetings in addition to other features.
What are the options for end-to-end encryption for Zoom free users?
Yes, I agree. If E2EE meetings are enabled in your Zoom account settings, all free and paid Zoom accounts can host or join an E2EE meeting directly from Zoom desktop client or mobile app. This means you can host or join an E2EE meeting from just about anywhere.
What is the difference between Zoom’s enhanced GCM encryption and this?
When Zoom applications, clients, and connectors communicate with each other, audio, video, and application sharing (e.g., screen sharing, whiteboarding) are encrypted in transit using 256-bit AES GCM. During a meeting without E2EE, audio and video content that flows between Zoom apps are not decrypted until the receivers’ devices receive it. Zoom’s servers generate and manage the encryption keys, however. Zoom’s servers, but not each participant, have access to the encryption keys used in encrypting a meeting with E2EE enabled.
The following are some questions I need to ask myself to ensure that my meetings are using end-to-end encryption.
The participant can indicate that his/her meeting is using E2EE by using the green shield logo with the padlock in the middle of the logo on the upper left corner of the monitor. In the middle of the lock, we have replaced the checkmark with a lock, which is identical to the symbol we use for our 256-bit AES GCM encryption.
Furthermore, participants will also be able to check the code that confirms that the secure connection has been established. In order to display the same code, all participants are encouraged to listen to the host read out the code out loud.
What is the best way for account owners or admins to verify whether or not a meeting is encrypted from end to end?
In order to see if a specific meeting has end-to-end encryption, account administrators and owners can navigate to the Dashboard for meetings, find the meeting, and then view the Encryption column. The encryption details can be seen by hovering your mouse over the icon in the Encryption column.
What steps will you take to maintain the safety and security of the platform in the future?
Getting E2EE implemented will allow Zoom to continue to increase the safety of our users, and ensuring the trust and safety of our users is one of our top priorities. E2EE users using the Free/Basic plan will be required to complete a one-time registration process that will ask for additional information on the user, such as verifying his mobile phone number via text message. As part of their efforts to reduce abuse on their sites, many of the leading companies take similar steps. With the implementation of risk-based authentication, a combination of our current mix of tools – including our collaboration with human rights and children’s safety organizations as well as the ability for users to lock down a meeting, report abuse, and access a myriad of other safety features made available under our Security Icon – we are confident that we can continue to enhance the safety of our users.
When will the rest of the timeline for E2EE be completed?
As part of Phase 2, which is expected to roll out in 2021, we plan to upgrade our identity management components as well as integrate E2EE SSO.