Use an AWS KMS symmetric key for encryption and decryption

Feature coming soon

  • Conversation > Encryption key > Edit permission
  • ConversationEncryption key > View permission

Symmetric keys managed in AWS KMS can be configured to encrypt and decrypt customer secured conversation data. Genesys Cloud generates data keys from your symmetric key in KMS. Customer secured conversation data is encrypted with these data keys. To decrypt conversation data, Genesys Cloud makes a request to KMS to decrypt the relevant data key. After the request is authorized, the data is decrypted.

  1. Create a customer managed key in your AWS account.
  2. Edit the key policy to grant access to Genesys Cloud (account ID 765628985471), so that Genesys Cloud can access your KMS keys.
  3. Edit the key policy to include a condition that only allows requests initiated from your Genesys Cloud organizations.

The following is an example of the key policy.

     “Sid”: “Allow use of the key”,
     “Effect”: “Allow”,
     “Principal”: {
         “AWS”: [
     “Action”: [
     “Resource”: “*”,
     “Condition”: {
        “StringEquals”: {
            “kms:EncryptionContext:genesys-cloud-organization-id”: [“orgId1”, “orgId2”, …]

  1. Click Admin > Quality > Encryption Keys.
  2. Select the Conversations tab and click Edit
  3. From the Key Configuration Type drop down list, select AWS KMS Symmetric.
  4. Enter the alias ARN associated with your KMS key in the ARN of the AWS KMS key alias for generating Customer Secured Data key text box.
    The key alias ARN can be found in the AWS KMS console. It should look like “arn:aws:kms:{region}:{accountId}:alias/{your-alias}”.
  5. Click the Test button to validate your configuration without saving it. The test will generate a data key pair from your specified KMS key, encrypt test data, decrypt it, and then assert that test data came out the same as it started. This helps to ensure that the configuration is safe to use.
  6. Click Save to save your configuration. 

Click the image to enlarge.

Ecryption key configuration

  • To stop encrypting sensitive conversation data, select None from the Key Configuration Type dropdown list and click Save.
    This action removes your encryption key configuration for conversations.
  • When you rotate to a new key, it takes up to 2 hours for the new key to take effect in Genesys Cloud.
  • Save the old key for at least 31 days, so that existing customer secured conversation data can continue to be decrypted.