As part of our commitment to end-to-end security, Webex holds a main key on behalf of each organization. We call it a main key because it doesn't encrypt content directly, but it's used to encrypt your organization's other keys which encrypt the content. The base level of the key hierarchy is called the content key (CK) and the intermediate levels of the keys are called key encryption keys (KEK).

We recognize that some organizations prefer to manage their own security, so we are giving you the option to manage your own customer main key (CMK). This means that you take responsibility for creating and rotating (re-encrypting) the main key that Webex uses to encrypt your content encryption keys.

Going forward, a key refers to the CMK unless otherwise specified.

How it works

Webex keeps your CMK in a hardware security module (HSM) so that the Webex services do not have access to the CMK value.

Control Hub shows your currently active or revoked CMK and any pending CMK that are stored in the HSM. When you need to rotate (re-encrypt) the CMK, you generate your new CMK and encrypt it with the HSM's public key, so that only the HSM can decrypt and store it.

You then upload and activate the new CMK in Control Hub. Webex immediately starts using the new CMK for encrypting your content keys. Webex keeps the old CMK, but only until it's sure that your content encryption keys are secured by the new CMK.


 
We don’t retroactively re-encrypt all the existing content. Once you activate your CMK, all new content (Spaces and Meetings) are re-encrypted and protected.
Key lifecycle

Key state definitions
Pending

A key in this state is stored in the HSM but it's not yet used for encryption. Webex doesn't use this CMK for encryption.


 
Only one key can be in this state.
Active

Webex is currently using this CMK to encrypt other keys for your organization.


 
Only one key can be in this state.
Rotation

Webex is temporarily using this CMK. Webex needs it to decrypt your data and keys that were previously encrypted by this key. This key is retired when rotation (re-encrypting) is complete.


 
Multiple keys can be in this state if a new key is activated before rotation is complete.
Retired

Webex isn't using this CMK. This key is no longer used for encryption. A key time-to-live is set, after which this key is removed from the HSM.

Revoked

Webex isn't using this CMK. Even if there are data and keys that were encrypted with this key, Webex can't use it to decrypt the data and keys.


 
  • You only need to revoke an active key if you suspect it's compromised. This is a serious decision because it prevents many operations from behaving properly. For example, you won't be able to create new spaces, and you won't be able to decrypt any content in Webex Client.
  • Only one key can be in this state. You must reactivate this key to rotate (re-encrypt) a new key.
  • This CMK can be deleted but you don’t have to delete it. You may want to keep it for decryption / re-encrypting after you resolve the suspected security breach.
Deleted

Webex isn't using this CMK. The behavior in this state is the same as the Revoked state except that a key time-to-live is set, after which this key is removed from the HSM.


 
  • If a deleted CMK progresses to the Removed state, you must recover the original key to restore functionality to the organization.
  • We recommend that you keep a backup copy of your original key, otherwise your organization will no longer be functional.
Removed

This is a logical state. Webex doesn't have this CMK stored in the HSM. It's not displayed in Control Hub.

Ownership

By taking ownership of your CMK, you must:

  • Take responsibility for secure creation and backup of your keys
  • Understand the implications of losing your keys
  • Re-encrypt your active CMK at least once per year as a best practice
Key creation

You must create your own CMK using these parameters. Your key must be:

  • 256 bits (32 bytes) long
  • Encrypted with the RSA-OAEP scheme
  • Encrypted with the Webex cloud HSM public key

Your key generation software must be capable of:

  • SHA-256 hash function
  • MGF1 mask generation function
  • PKCS#1 OAEP padding

Refer to Example: Create and encrypt keys with OpenSSL in the Resources tab in this article.

Authorization

You must have access to your Webex organization in Control Hub. You must be a full administrator to manage your CMK.

1

Sign in to Control Hub.

2

Go to Organization Settings > Key Management.

To enable BYOK, toggle Bring Your Own Key (BYOK) on. If you disable BYOK, the Webex common default key becomes the main key for your organization.

3

Click Download public key.

Save the Webex HSM public key in a .pem file on your local system.

4

Create a cryptographically secure 256-bit (32 byte) random key using your key management software.

5

Use the Webex HSM public key to encrypt your new key.

The required encryption parameters are:

  • RSA-OAEP scheme
  • SHA-256 hash function
  • MGF1 mask generation function
  • PKCS#1 OAEP padding
Refer to Example: Create and encrypt keys with OpenSSL in the Resources tab in this article.
6

Drag the encrypted key from your file system and drop it in the upload area of the Control Hub interface, or click Choose a file.

7

Click Next.

Webex uploads your key to the HSM, where it gets decrypted and validated. Then Control Hub shows you the ID of your new CMK, and the ID of the currently active CMK, if any.

If this is your first CMK, the currently active key is the Webex common default key (the one we currently use for encrypting your organization's keys).

8

Choose how you want to activate your key:

  • Activate new key: The new CMK immediately goes into the Active state. The previously active CMK goes into Rotation (Re-encrypting state), until all your content is protected by the new CMK, after which Webex deletes the previously active CMK.
  • Activate later: The new CMK moves into the Pending state. Webex keeps this CMK in the HSM, but doesn’t use it yet. Webex continues using the currently active CMK for encrypting your organization's keys.

What to do next


 
We don’t retroactively re-encrypt all the existing content. Once you activate your CMK, all new content (Spaces and Meetings) will be re-encrypted and protected.
1

Sign in to Control Hub.

2

Go to Organization Settings > Key Management.

3

Select the currently active CMK.

4

Click Rotate.

Control Hub shows you the upload new key window.
5

Create and encrypt a new key (if you haven't yet done that).

The process is described in Create and activate your customer main key in this article.
6

Drag the new key from your file system and drop it into the Upload area of Control Hub.

7

Click Activate new key.

The new key that you uploaded goes into the Active state.

The old CMK stays in Rotation (Re-encrypting state) until Webex finishes encrypting all its content with the new Active CMK. After re-encrypting, the key moves into the Retired state. Webex then deletes the old CMK.

1

Sign in to Control Hub.

2

Go to Organization Settings > Key Management.

3

Select the currently active key.

4

Click Revoke.

Control Hub shows you the revoke key confirmation window.
Once you confirm the key revocation, it can up to 10 minutes to fully revoke your key.
1

Sign in to Control Hub.

2

Go to Organization Settings > Key Management.

3

Select the currently revoked key.

4

Click Activate.

Control Hub shows you the Activate your revoked key window.
5

Click Activate.

The previously revoked key goes into the Active state.
1

Sign in to Control Hub.

2

Go to Organization Settings > Key Management.

3

Select the revoked key.

4

Click Delete.

Control Hub shows you the delete key window. Confirm the key deletion.
Once deleted, you have the option to undelete the key within 30 days.
1

Sign in to Control Hub.

2

Go to Organization Settings > Key Management.

3

Select the deleted key.

4

Click Undelete.

Control Hub shows you the undelete key window. Confirm the key undeletion.
Once undeleted, Control Hub shows you the key in the Revoked state before it was deleted. For example, if you delete a revoked key and then undelete the key, Control Hub shows the undeleted key in the Revoked state.

This example uses version 3.0 of the OpenSSL command line tools. See OpenSSL for more about these tools.

1

Sign in to Control Hub.

2

Go to Organization Settings > Key Management.

3

Click Download public key.

You get the Webex HSM public key in a .pem file on your local system.

4

Create a 256-bit (32 byte) key: openssl rand 32 -out main_key.bin

The example uses the filename main_key.bin for your unencrypted new key.
5

Use the Webex HSM public key to encrypt your new key:

openssl pkeyutl -encrypt -pubin -inkey path/to/public.pem -in main_key.bin -out main_key_encrypted.bin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

The example uses the filename main_key_encrypted.bin for the encrypted output key, and the filename path/to/public.pem for the Webex public key.

The encrypted key is ready for you to upload to Control Hub.