Encryption Overview

Encryption is an optional, chargeable feature in inContact WFO.

inContact WFO supports file level encryption for most audio, screen recording, and data files. Files are encrypted on the recording server(s) as they are written to disk using AES-256-bit encryption. This provides full end-to-end protection, as files are never left on disk in an unencrypted format.

If encryption is enabled on an existing system, new files (that is, files recorded after the feature is enabled) are encrypted as they pass through the Transcoder. Existing recording files can be encrypted using a tool available to inContact WFO support personnel. Contact Support for more information.

Encryption keys are stored in the inContact WFO database. If the database becomes unavailable while CTI Core is running, encryption continues operating. However, CTI Core instances that utilize encryption cannot be started or restarted without a connection to the database. For security reasons, encryption keys cannot be stored locally to allow for this.

To disable encryption, consult inContact WFO Support. All audio and video files generated after encryption is disabled will not be encrypted. However, audio and video files generated while encryption was enabled can no longer be played unless encryption is re-enabled. Attempting to play such a recording results in an error.

Encryption Exceptions

Some files cannot be encrypted in inContact WFO. These include:

  • ShoreTel TAPI/WAV recordings — This recording method generates unencrypted .wav files. Since inContact WFO relies on a third-party library to generate these files, the application cannot encrypt them while they are writing. The Transcoder service can convert the files to an encrypted format if/when they are transcoded.
  • XML filesinContact WFO can generate XML files that contain call metadata. However, these files are not required. To turn off XML file generation, contact inContact WFO Support.

Encryption Key Management

Encryption is based on unique keys generated for each individual system, typically by the inContact WFO team. A copy of the key file can be provided by your inContact WFO deployment team, and should be stored in a secure, offline location.

Encryption keys are critically important. If a key is lost, any recordings encrypted with that key will be completely and irretrievably inaccessible.

The following recommendations are considered best practices for encryption key management:

  • Never delete keys from the database.
  • If you generate a new key, export it using the cc_crypt.exe utility. Keep the exported file in a secure location that is backed up regularly. This will help guard against possible loss of data.
  • Do not deactivate keys when there are active files using those keys. Wait until any files with that key are no longer needed and have been purged from your system.

Thales Encryption vs. Standard Key Management

inContact WFO can integrate with Thales Encryption Key Management for customers who already use this product. The Thales systems offers a similar degree of security and flexibility as the built-in functionality of inContact WFO. The main difference is the extra hardware, cost, and configuration required when integrating Thales into the inContact WFO environment. For more information, talk to your inContact WFO Sales Engineer.

Related Tasks