Advanced Encryption allows your company to encrypt your Service Data using your own enterprise key management system (KMS), ensuring data stored in Zendesk can’t be read in plain text by an external party and is decrypted just in time to enable the Zendesk Services.
See Setting up Advanced Encryption (EAP) to learn more about setting up Advanced Encryption and the EAP program.
This article covers the following topics:
- How Advanced Encryption works
- Advanced Encryption and standard encryption
- Advanced Encryption limitations
- Frequently asked questions
How Advanced Encryption works
Customers set up their own Key Management System (KMS) outside of Zendesk. Advanced Encryption relies on envelope encryption. On encryption, Zendesk generates a Data Encryption Key (DEK) for the data chunk and requests the KMS to encrypt this key. It then discards the plain key and keeps the encrypted key.
Whenever Zendesk needs to access encrypted data, it will ask the KMS to decrypt the data key using the master key. This happens in transit: data is encrypted when it comes into Zendesk before our applications process it, and it stays encrypted until there is a use case that requires decryption.
Advanced Encryption and standard encryption
Advanced Encryption complements the encryption used by all Zendesk accounts.
State | Advanced Encryption | Standard Encryption |
In transit |
Data is encrypted with Customer-Managed Keys as soon as possible at the HTTP Proxy layer or equivalent entry point. |
All communications with Zendesk UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure during transit. For email, our product leverages opportunistic Transport Layer Security (TLS) by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service subscribers may choose to leverage at their discretion. |
At rest |
Data in the database remains encrypted - if a third-party or foreign government attempted to get access to a running DB, the data will be returned in ciphertext. |
Service Data is encrypted at rest in AWS using AES-256 key encryption.
|
In use |
The data remains encrypted while in use and is only decrypted if there is a use case that requires it. Any decryption actions are logged and auditable when leveraging an external SIEM integration. |
Advanced Encryption limitations
For this EAP release, there are some known disclosures and service degradations to be aware of:
- Any functionality outside of the EAP scope, including but not limited to Messaging, Explore, Chat, Sell, Integrations and Mobile, might be broken or show encrypted data in the UI/reports/API responses.
- Key rotation is not supported in this EAP.
- Side conversations and Ticket sharing are not supported in the EAP.
- Encrypted accounts will become ineligible for account region moves.
- Premium sandboxes created after enabling Advanced Encryption will show encrypted copied data.
Within the EAP scope, the following are the known service degradations:
Search-related degradation:
- Snippet highlighting, wildcard search, phrase search, and non-space delimited languages (e.g. Chinese & Japanese) won’t work
- Search match and ranking might be different
- Count and export functionality won’t work
Views-related degradation:
- Support Views sorting by user name (Requester and Assignee) will be disabled for accounts with encryption enabled.
- Support Views grouped by user name (Requester and Assignee) will display user names out of order.
- View CSV export will display placeholders instead of the user names.
Imports degradation:
- Users imported using the bulk importer will not be encrypted
Gather degradation:
- @mentions are disabled for this EAP
Advanced Encryption EAP participants can post questions or comments on the Advanced Encryption Early Access Program (EAP) community page.
Frequently asked questions
-
Can I enable Advanced Encryption in my production account?
Yes. You can enable this EAP for Production or Sandbox accounts. We recommend you try it out on Sandbox first.
-
Do I need to pay anything to participate in this EAP?
No, participation in this EAP is absolutely free of cost. When Advanced Encryption is out of EAP it will be part of Advanced Data Privacy and Protection (ADPP) add-on, which you will have to upgrade to. You’ll not be automatically enrolled in ADPP.
-
Will my old data be encrypted with my encryption keys?
Backfill encryption of data is supported in this release.
-
Can I use an EU-based KMS to manage my encryption keys?
Yes. Zendesk Advanced Encryption supports an out-of-the-box integration with Thales CipherTrust Manager, a Key Management System (KMS) based in Europe and managed and hosted by European companies.
-
How do I know whether Advanced Encryption has been enabled in my account?
You will start seeing encryption/decryption requests in the KMS logs.
-
Is key rotation/revocation supported in this EAP?
No, key rotation and revocation are not supported in this EAP. These features will be launched in a later release. Please note that if you rotate or revoke the keys in this release, you might lose your encrypted data forever.
You can add a new key, which will be used to encrypt newly created data. The old key(s) will continue to be used to encrypt/ decrypt the old data.
-
Who do I contact if I need help during the EAP or have feedback?
Post your feedback or questions in the Community topic created for this EAP. Alternatively,
log a ticket in Zendesk, and we’ll get back to you as soon as possible.