End-to-end encryption for Webex Meetings and Webex Calling
Compare Webex End-to-End Encryption and Zero-Trust End-to-End Encryption
The Webex Suite offers two types of end-to-end encryption (E2EE):
-
Webex End-to-End Encryption — Default security for user-generated content shared in standard meetings and Webex Messaging.
-
Zero-Trust End-to-End Encryption — Enhanced security for media and user-generated content in Webex end-to-end encrypted meetings. This article focuses mainly on Zero-Trust End-to-End Encryption.
Both types of end-to-end encryption provide an extra layer of encryption that safeguards data from interception attacks, but they differ in the levels of confidentiality that they offer.
Webex End-to-End Encryption
Webex End-to-End Encryption uses the Webex Key Management System* (KMS) to generate and manage encryption keys. These Webex KMS keys are used to encrypt chat messages, files, whiteboards and annotations created by Webex apps and Cisco video devices. Originally used with Webex Messaging, Webex End-to-End Encryption is now also used to encrypt user-generated content in standard Webex Meetings on the Webex Suite meeting platform. With Webex End-to-End Encryption:
-
Data is encrypted in transit and at rest.
-
Webex apps and Cisco devices encrypt all user-generated content, such as messages, files, annotations, and whiteboards, before transmitting them over encrypted TLS.
-
This encrypted content is stored on encrypted content servers in the Webex cloud.
This additional layer of security protects user data in transit from TLS interception attacks, and stored user data from potential bad actors in the Webex cloud.
* By default, our cloud-based KMS generates and distributes encryption keys. You also have an option with Webex Hybrid Data Security (HDS) to manage your own, on-premises version of the key management system.
The Webex cloud can access and use KMS encryption keys, but only to decrypt data as required for core services such as:
- Message indexing for search functions
- Data loss prevention
- File transcoding
- eDiscovery
- Data archival
For more information on Webex KMS-based End-to-End Encryption, see Webex Messaging Security Technical Paper.
Zero-Trust End-to-End Encryption
Webex uses Zero-Trust End-to-End Encryption to offer higher levels of security and confidentiality for media and user-generated content (chat, files, whiteboards, and annotations) in Webex End-to-End Encrypted meetings.
Zero-Trust End-to-End Encryption uses the Messaging Layer Security (MLS) protocol to exchange information so that participants in a Webex Meeting can create a common meeting encryption key.
The meeting encryption key is only accessible to the participants in the meeting. The Webex service can't access the meeting key—hence "Zero-Trust."
Scope of Zero-Trust security for Webex Meetings
Zero-Trust end-to-end encrypted Webex meetings support the following:
-
Standards-based protocols (MLS, SFrame) with formally verified cryptography.
- Webex desktop apps for Windows, MacOS, and Linux.
- Webex mobile apps for iOS and Android.
-
Cisco video devices (Room Series, Desk Series, and Webex Board).
-
End-to-end encryption (E2EE) in Personal Room meetings.
-
End-to-end encryption (E2EE) for scheduled meetings.
-
A security icon which lets all meeting participants know at a glance that their meeting is secure, and when end-to-end encryption is enabled for the meeting.
-
Verbal verification of meeting attendees using a new Security Verification Code.
-
Up to 1000 participants.
-
Local recording.
-
In-meeting chat, file transfer, whiteboarding, and annotation.
-
Remote Desktop Control.
-
In Webex App, you can join the meeting using your computer audio only (PSTN-based Call me/Call is not supported).
Zero-Trust security does not support the following in meetings:
-
Older Webex devices, such as the SX, DX, and MX Series.
-
Web browser-based Webex App (web.webex.com).
-
Saving meeting chat, files, whiteboards, and annotations.
-
Saving session data, transcripts, and meeting notes to the cloud.
-
Features provided by Cisco cloud services that require access to decrypted media, including:
-
Network-Based Recording (NBR)
-
Transcoding media
-
In-meeting Webex AI Assistant
-
Automated closed captioning
-
Transcription, etc.
-
-
Calls to and from the Public Switched Telephone Network (PSTN)
-
Calls to and from SIP devices
-
End-to-End Encryption for Webex Calling
Webex Calling currently encrypts calls using Secure Real-time Transport Protocol (SRTP) for media. With the introduction of Webex Calling E2EE, the Webex platform extends its robust end-to-end encryption capabilities, ensuring that only the participants in a communication can decrypt its content, not even the service provider. This enhancement is particularly relevant for markets with high security demands. E2EE, which is implemented in a strict manner (requiring all participants and services to be E2EE capable from the start), Webex Calling E2EE operates opportunistically. This means:
-
Opportunistic Engagement—calls begin with SRTP media and automatically upgrade to E2EE when both devices or clients support it and no conditions prevent E2EE.
-
Dynamic Downgrade—if conditions change during a call (e.g., a feature is invoked that requires media processing by the Webex service), the call can temporarily downgrade to SRTP.
-
User Notification—the Webex App notifies users of transitions between SRTP and E2EE states, ensuring transparency.
-
Future Strict Mode—a strict E2EE mode may be added in the future for organizations that require calls to start and remain E2EE without opportunistic downgrades.
Scope of End-to-End Encryption for Webex Calling
Webex Calling E2EE is designed to provide enhanced security for specific call scenarios and features.
Supported scenarios
-
One-on-one intra-organization calls—E2EE is supported for direct calls between two users within the same organization.
-
Webex Apps—E2EE is supported exclusively when both participants are using Webex desktop or mobile applications.
Features that support E2EE, with opportunistic downgrade or upgrade as needed
-
E2EE Capable Devices/Clients—calls can become E2EE if both participants devices/clients are E2EE capable.
-
Call Forward (pre-answer)—the call is SRTP pre-answer but can upgrade to E2EE upon answer if applicable.
-
Hold/Resume without Music On Hold (MOH)—ff MOH is not in use, E2EE can be maintained.
-
Transfer (pre-answer)—the call downgrades to SRTP during transfer and can upgrade to E2EE if possible once new parties are connected.
Due to its opportunistic nature and the integration with various call features, Webex Calling E2EE is not supported or will cause a downgrade to SRTP under the following conditions:
Unsupported call types
-
One-on-one PSTN (Public Switched Telephone Network) calls, including inter-organization calls.
-
One-on-one On-premise trunk (hybrid) calls.
Features requiring media service intervention
E2EE is not supported when any feature requires media processing by a Webex service. This includes:
-
Automated Services—Auto Attendant, Call Queue (though the call may become E2EE after connecting to an agent), Voice Portal (e.g., for Voicemail deposit or retrieval).
-
Music On Hold (MOH)—when MOH is in use during a call hold.
-
Conference Mixers—any feature that utilizes a conference mixer, such as:
- 3-Way Call / N-Way Call
If a 3-Way Call/N-Way Call is SIP initiated, the call remains anchored to a conference mixer even if it becomes a 2-way call.
- Barge-in o Silent Monitoring
- Supervisor Coaching
- Call Recording
- Call Bridging
- Push To Talk
- Sending DTMF via API request
- 3-Way Call / N-Way Call
Specific Call States
-
Parked Calls—E2EE is not supported while a call is parked. It can re-engage upon park retrieval if the retrieving party is E2EE capable.
-
Call Queue or CX Essentials Calls—E2EE is not allowed to prevent agents or other parties from being aware if a supervisor initiates monitoring or coaching. This applies to calls distributed to agents and calls agents make using a call queue's caller ID.
-
Pre-answer early media—E2EE is not supported for media played before a call is answered (for example, Call forwarding).
Privacy and Identity
E2EE is not supported when the remote party's real identity is blocked or hidden:
-
Remote party's identity blocked by privacy settings.
-
Remote party's identity hidden by policies like Connected Line Identity Privacy for Redirected Calls or Calling Line Identity Privacy for Redirected Calls.
-
Remote party's identity hidden because the call is connected to an assistant through an executive (for example, a calls executive, executive filters to assistant, executive's identity).
Unsupported Devices or Lines
-
Devices or clients that do not support E2EE.
-
Shared or virtual lines (only primary lines support E2EE as the device only has a certificate for the device owner).
Enable end-to-end encryption for Webex Calling
E2EE for Webex Calling is is disabled by default. Enable E2EE for Webex Calling to protect user communications across the organization.
- Sign in to Control Hub.
- Go to .
- In the Security, turn on the toggle Enable end-end encryption when making calls.
This setting allows users and workspaces in your organization to make and receive end-to-end encrypted calls.
- Click Save.
Administrators can override E2EE settings for individual users by disabling E2EE for specific users in the organization. Go to
.This section is for customers with Full-Featured Meetings.
To join an E2EE meeting from your Webex Board, Room, or Desk device, tap Join Webex and enter the meeting number that is listed in the Webex Meetings invite. Then, tap Join to join the meeting.
In the meeting, you can check whether the meeting is end-to-end encrypted by looking at the shield icon in the header.
-
– The meeting is end-to-end encrypted.
-
– The connection between your Webex desktop app and the Webex server is secure, but the meeting is not end-to-end encrypted.
A security code is provided to allow participants to verify that their connection is secure.
Tap the icon to see the security code and other security information for the meeting. The security code changes each time a participant enters the meeting.
All the meeting participants should see the same security code. If one person sees a different security code, their connection is not secure.

In the participants list, you can see information about the authentication status of each participant: verified or unverified.

-
– Participant's identity has been verified externally by a Webex Partner Certificate Authority (CA). This requires configuring an external certificate on your personal device.
-
– Participant's identity has been verified internally by Webex CA.
-
– Participant's identity is unverified.
More detailed information about the certificate provider is available by tapping a participant’s name and selecting Show Certificate.

End-to-end encryption for Webex Calling
The client user experience for Webex Calling E2EE aligns with and builds upon the E2EE user experience implemented for Locus calling. When a Webex Calling call is End-to-End Encrypted, the Webex App (desktop and mobile) will display clear visual indicators. Users will also receive distinct visual and audio alerts for transitions between SRTP and E2EE during a call.

The architecture is designed with robust security measures:
-
Data Confidentiality—The Calling Roster service, a critical component, does not store Personally Identifiable Information (PII), and its data is maintained within the organization's regional boundaries.
-
Secure Communications—All inter-service links are properly encrypted (HTTPS) with peer authentication.
-
API Security—All APIs are secured using Cisco Identity (CI) token authentication, requiring specific machine account scopes for authorization.
The system is engineered for scalability, designed to support a significant volume of E2EE calls. For example, in the US region, the system is provisioned to account for up to 5000 E2EE calls per hour (approximately 1.39 calls per second) with an average call duration of 4 minutes, ensuring ample room for future Webex Calling growth. Key services like Media Encryption (MES), Data Channel, and the new Calling Roster service are built to handle this scale.