Recording encryption key overview

Genesys Cloud uses encryption keys that are unique for each organization. These encryption keys protect recordings from unauthorized access to the following:

  • Call recordings
  • Digital recordings (email, chat, message)
  • Screen recordings
  • Transcript of a corresponding recording when transcription is enabled

Genesys Cloud supports the following encryption key management methods:

  • Genesys Cloud Managed Keys: Genesys Cloud generates and stores the public/private KEK key pairs used by the recording encryption process. This enables you to manage the KEKs that are in Genesys Cloud, but Genesys Cloud owns the keys. You do not need to maintain copies of the KEKs. The recordings are available to you in decrypted form for playback, download, or bulk export.
  • Local Key Manager (LKM): Your organization implements a service to generate public/private KEK key pairs and stores them.

Click the image to enlarge.

When working with LKM, Genesys Cloud uses the same envelope encryption technique for recording encryption, using your public key as the KEK. To decrypt the recording, the encrypted DEK is first sent to LKM for decryption, the decrypted DEK is then sent back to Genesys Cloud and used to decrypt the recording. The private KEK key never enters Genesys Cloud.

Important: For security purposes, you must safeguard your private keys. With LKM, you are responsible for the ownership of the KEKs, and you must not remove them from LKM before the corresponding recordings are deleted. Genesys has no mechanism to recover recordings if any of the KEKs (including those that are rotated out) are lost.

  • AWS KMS Symmetric: Additionally, your organization encrypts the private Genesys Cloud Managed KEK key pairs using the symmetric keys provided by you via AWS Key Management Service (KMS). Similar to LKM, this option allows you to assert access control over recordings in Genesys Cloud. Genesys Cloud can decrypt recordings only as long as you grant access to the symmetric keys in AWS KMS.

Click the image to enlarge.

When working with AWS KMS, Genesys Cloud uses the same envelope encryption technique for recording encryption,  For decryption of the recording, the private KEK key pair is first decrypted by AWS KMS.  Once decrypted, Genesys Cloud proceeds to use it to decrypt the DEK, where the DEK is subsequently used to decrypt the recording. Your symmetric AWS KMS key never enters Genesys Cloud.

Important: For security purposes, you must safeguard your symmetric keys in AWS KMS. You are responsible for the ownership of these symmetric keys, and you must not remove them before the corresponding recordings are deleted.  Genesys has no mechanism to recover recordings if any of the symmetric keys (including those that are rotated out) are lost.

Genesys Cloud uses an envelope encryption technique for recording encryption. A recording is first encrypted using a symmetric Data Encryption Key (DEK), and afterwards the DEK is encrypted using an asymmetric pair of Key Encryption Keys (KEK). Both the encrypted recording and the encrypted DEK are packaged into a file, and uploaded to a recording repository in Genesys Cloud.
  • For KEKs, Genesys Cloud creates a RSA 3072 bit public/private key pairs. The public keys are published internally for encryption purpose. The private keys are used for decryption and never leave Encryption Services within Genesys Cloud. The public key and private key in a KEK key pair are mathematically linked.
  • For DEKs, Genesys Cloud generates a AES 256 bit symmetric key. A different DEK is generated per recording.
  • The DEKs are encrypted by the public keys associated with the KEK key pairs and can only be decrypted by corresponding private keys.

Genesys Cloud Media Tier abides to the above encryption process when creating recordings that are safely stored. This includes Media Tier’s intermediary storage before the encrypted files are uploaded to the recording repository.  The Media Tier’s intermediary storage is located within Genesys Cloud with Genesys Cloud Voice or BYOC Cloud, or on premise when with BYOC Premises. The use of long and strong cryptographic keys provides an effective defense against brute force attacks.

When recordings must be decrypted (for example, when responding to a user’s recording playback request), the following decryption process occurs after the file is retrieved from the recording repository:

  1. The encrypted DEK is decrypted using the corresponding private key associated with the KEK key pair.
  2. With DEK, the encrypted recording is decrypted.

The same decryption process is followed when recordings are bulk exported. The exported recording files are no longer encrypted with the aforementioned encryption keys. However, they are secured in the exported S3 bucket with server-side encryption (SSE) enabled as per your policy with Amazon S3 managed encryption keys (SSE-S3), or with Customer Master Keys (CMKs) stored in AWS Key Management Service (SSE-KMS). Additionally, you can specify a PGP-compatible encryption to have the files encrypted as they are exported.

Click the image to enlarge.

Changing encryption keys regularly helps ensure the safety of your recorded interactions. It limits the number of recordings that a given key can access.

Note: We recommend using scheduled key rotation with a short interval.

The encryption key management page can be accessed via Admin> Quality > Encryption Keys.

Click the image to enlarge.