Compare Webex End-to-End Encryption and Zero-Trust End-to-End Encryption

The Webex Suite offers two types of end-to-end encryption (E2EE):

• Webex End-to-End Encryption — Default security for user-generated content shared in standard meetings and Webex Messaging.

• Zero-Trust End-to-End Encryption — Enhanced security for media and user-generated content in Webex end-to-end encrypted meetings. This article focuses mainly on Zero-Trust End-to-End Encryption.

Both types of end-to-end encryption provide an extra layer of encryption that safeguards data from interception attacks, but they differ in the levels of confidentiality that they offer.

Webex End-to-End Encryption

Webex End-to-End Encryption uses the Webex Key Management System* (KMS) to generate and manage encryption keys. These Webex KMS keys are used to encrypt chat messages, files, whiteboards and annotations created by Webex apps and Cisco video devices. Originally used with Webex Messaging, Webex End-to-End Encryption is now also used to encrypt user-generated content in standard Webex Meetings on the Webex Suite meeting platform. With Webex End-to-End Encryption:

• Data is encrypted in transit and at rest.

• Webex apps and Cisco devices encrypt all user-generated content, such as messages, files, annotations, and whiteboards, before transmitting them over encrypted TLS.

• This encrypted content is stored on encrypted content servers in the Webex cloud.

This additional layer of security protects user data in transit from TLS interception attacks, and stored user data from potential bad actors in the Webex cloud.

* By default, our cloud-based KMS generates and distributes encryption keys. You also have an option with Webex Hybrid Data Security (HDS) to manage your own, on-premises version of the key management system.

The Webex cloud can access and use KMS encryption keys, but only to decrypt data as required for core services, such as:

• Message indexing for search functions
• Data loss prevention
• File transcoding
• eDiscovery
• Data archival

For more information on Webex KMS-based End-to-End Encryption, see Webex Messaging Security Technical Paper.

Zero-Trust End-to-End Encryption

Webex uses Zero-Trust End-to-End Encryption to offer higher levels of security and confidentiality for media and user-generated content (chat, files, whiteboards, and annotations) in Webex End-to-End Encrypted meetings.

Zero-Trust End-to-End Encryption uses the Messaging Layer Security (MLS) protocol to exchange information so that participants in a Webex Meeting can create a common meeting encryption key.

The meeting encryption key is only accessible to the participants in the meeting. The Webex service can't access the meeting key—hence "Zero-Trust."

Scope of Zero-Trust security for Webex Meetings

Zero-Trust end-to-end encrypted Webex meetings support the following:

• Standards-based protocols (MLS, SFrame) with formally verified cryptography.

• Webex desktop apps for Windows, MacOS, and Linux.
• Webex mobile apps for iOS and Android.

• Cisco video devices (Room Series, Desk Series, and Webex Board).

• End-to-end encryption (E2EE) in Personal Room meetings.

• End-to-end encryption (E2EE) for scheduled meetings.

• A security icon which lets all meeting participants know at a glance that their meeting is secure, and when end-to-end encryption is enabled for the meeting.

• Verbal verification of meeting attendees using a new Security Verification Code.

• Up to 1000 participants.

• Local recording.

• In-meeting chat, file transfer, whiteboarding, and annotation.

• Remote Desktop Control.

• Video and Audio Watermarking.

• In Webex App, you can join the meeting using your computer audio only (PSTN-based Call me/Call is not supported).

Zero-Trust security does not support the following in meetings:

• Older Webex devices, such as the SX, DX, and MX Series.

• Web browser-based Webex App (web.webex.com).

• Saving meeting chat, files, whiteboards, and annotations.

• Saving session data, transcripts, and meeting notes to the cloud.

• Features provided by Cisco cloud services that require access to decrypted media, including:

  • Network-Based Recording (NBR)

  • Transcoding media

  • In-meeting Webex AI Assistant

    • Automated closed captioning

    • Transcription, etc.

  • Calls to and from the Public Switched Telephone Network (PSTN)

  • Calls to and from SIP devices

Compare the features available in standard scheduled Webex Meetings and Zero-Trust End-to-End Encrypted Webex Meetings.

End-to-End Encryption for Webex Calling

Webex Calling currently encrypts calls using Secure Real-time Transport Protocol (SRTP) for media. With the introduction of Webex Calling E2EE, the Webex platform extends its robust end-to-end encryption capabilities, ensuring that only the participants in a communication can decrypt its content, not even the service provider. This enhancement is particularly relevant for markets with high security demands. E2EE, which is implemented in a strict manner (requiring all participants and services to be E2EE capable from the start), Webex Calling E2EE operates opportunistically. This means:

• Opportunistic Engagement—calls begin with SRTP media and automatically upgrade to E2EE when both devices or clients support it and no conditions prevent E2EE.

• Dynamic Downgrade—if conditions change during a call (e.g., a feature is invoked that requires media processing by the Webex service), the call can temporarily downgrade to SRTP.

• User Notification—the Webex App notifies users of transitions between SRTP and E2EE states, ensuring transparency.

• Future Strict Mode—a strict E2EE mode may be added in the future for organizations that require calls to start and remain E2EE without opportunistic downgrades.

Scope of End-to-End Encryption for Webex Calling

Webex Calling E2EE is designed to provide enhanced security for specific call scenarios and features.

Supported scenarios

• One-on-one intra-organization calls—E2EE is supported for direct calls between two users within the same organization.

• Webex Apps—E2EE is supported exclusively when both participants are using Webex desktop or mobile applications.

Features that support E2EE, with opportunistic downgrade or upgrade as needed

• E2EE Capable Devices/Clients—calls can become E2EE if both participants devices/clients are E2EE capable.

• Call Forward (pre-answer)—the call is SRTP pre-answer but can upgrade to E2EE upon answer if applicable.

• Hold/Resume without Music On Hold (MOH)—ff MOH is not in use, E2EE can be maintained.

• Transfer (pre-answer)—the call downgrades to SRTP during transfer and can upgrade to E2EE if possible once new parties are connected.

Due to its opportunistic nature and the integration with various call features, Webex Calling E2EE is not supported or will cause a downgrade to SRTP under the following conditions:

Unsupported call types

• One-on-one PSTN (Public Switched Telephone Network) calls, including inter-organization calls.

• One-on-one On-premise trunk (hybrid) calls.

Features requiring media service intervention

E2EE is not supported when any feature requires media processing by a Webex service. This includes:

• Automated Services—Auto Attendant, Call Queue (though the call may become E2EE after connecting to an agent), Voice Portal (e.g., for Voicemail deposit or retrieval).

• Music On Hold (MOH)—when MOH is in use during a call hold.

• Conference Mixers—any feature that utilizes a conference mixer, such as:

  • 3-Way Call / N-Way Call

    If a 3-Way Call/N-Way Call is SIP initiated, the call remains anchored to a conference mixer even if it becomes a 2-way call.

  • Barge-in and Silent Monitoring
  • Supervisor Coaching
  • Call Recording
  • Call Bridging
  • Push To Talk
  • Sending DTMF via API request

Specific Call States

• Parked Calls—E2EE is not supported while a call is parked. It can re-engage upon park retrieval if the retrieving party is E2EE capable.

• Call Queue or CX Essentials Calls—E2EE is not allowed to prevent agents or other parties from being aware if a supervisor initiates monitoring or coaching. This applies to calls distributed to agents and calls agents make using a call queue's caller ID.

• Pre-answer early media—E2EE is not supported for media played before a call is answered (for example, Call forwarding).

Privacy and Identity

E2EE is not supported when the remote party's real identity is blocked or hidden:

• Remote party's identity blocked by privacy settings.

• Remote party's identity hidden by policies like Connected Line Identity Privacy for Redirected Calls or Calling Line Identity Privacy for Redirected Calls.

• Remote party's identity hidden because the call is connected to an assistant through an executive (for example, a calls executive, executive filters to assistant, executive's identity).

Unsupported Devices or Lines

• Devices or clients that do not support E2EE.

• Shared or virtual lines (only primary lines support E2EE as the device only has a certificate for the device owner).

Enable end-to-end encryption for Webex Calling

E2EE for Webex Calling is is disabled by default. Enable E2EE for Webex Calling to protect user communications across the organization.

1. Sign in to Control Hub.
2. Go to Services > Calling > Client Settings > Settings.
3. In the Security, turn on Enable end-end encryption when making calls.

   This setting allows users and workspaces in your organization to make and receive end-to-end encrypted calls.

4. Click Save.

Administrators can override E2EE settings for individual users by disabling E2EE for specific users in the organization. Go to Management > Users > General > and > General template applied.