KMS On-Premises
Webex Teams and Webex devices establish TLS connections to the Webex cloud. These encrypted connections are used for all communication to Webex cloud services and on-premises services such as the Hybrid Data Security service. To ensure that communication between Webex Teams and on-premises HDS services remain confidential, an additional encrypted connection is established between Webex Teams and the on-premises HDS service. This secure connection uses ECHDE for key negotiation and AES-256_GCM for authenticated encryption of data. Figure 6-51 shows the Webex Teams secure feature Webex cloud and HDS connections.

Figure 6-51 Webex Teams – Webex cloud and HDS connections
Key management services in HDS nodes automatically federate with the KMS services of other organizations when Webex Teams users from two or more organizations participate in a Webex Teams space. This KMS-to-KMS connection is established by using mutual TLS between the HDS nodes in each organization. Figure 6-52 shows KMS federation between two organizations using Webex Teams and HDS.

Figure 6-52 KMS federation between two organizations using Webex Teams and HDS
The Key Management Server (KMS) does not perform an encryption function; it creates and distributes encryption keys to Webex Teams that use end-to-end encryption for content (messages and files). The KMS does not create and distribute encryption keys for Webex Teams media streams; these keys are generated by the Webex Teams, devices, and media servers participating in a call or conference.
All encryption keys used by Webex Teams are securely stored. Encryption keys for messages and content shared in Webex Teams spaces and the details of these spaces are held in a database and encrypted before being stored. The space details include the space name, space owner or moderator, and participants.
For Webex Teams organizations using the Webex cloud KMS service, their encryption keys and space details are securely stored on Cisco-dedicated database servers. For Webex Teams organizations using the Webex Teams HDS service, their encryption keys and space details are securely stored in the organization’s premises on customer-owned database servers (for example, Microsoft SQL or Postgres).
Access to KMS/HDS-related data is tenanted through a combination of the following:
• Access tokens that identify the user, the organization that they belong to, and the scope of Webex Teams services that they are authorized to access
• Data structures for Webex Teams spaces, meetings, and so on that define their authorized participants
The encryption keys for Webex Teams spaces and content (messages and files) are securely stored and cached by Webex Teams, which is helpful if the KMS goes down (especially for HDS).
For Webex Teams for iOS and Android, resetting user access in the Cisco Webex Control Hub deletes the cached content. Resetting user access also revokes the user’s OAuth access token across all Webex Teams apps, requiring users to sign in again. For Webex Teams for Web, cached content is deleted when the user signs out or closes the browser or the browser tab.
As for file storage security during transcoding, files are never stored by the document transcoding application; they are processed by the application (converted to a PNG image). After the content is transcoded, the original document is deleted. Native document and file transcoding in the Webex cloud were introduced in 2019. File and document transcoding in the Webex cloud removes the requirement to use third-party transcoding services and improves transcoding performance.
For information about the encryption and security capabilities of Webex Teams, see: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/whitepapers/cisco-wbxt-firewall-traversal-whitepaper.pdf
For details of encryption and key management features and services supported today, see https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/webex-room-series/datasheet-c78-740770.html.