Genesys Cloud - Main

We understand that Genesys support 3 options to encrypt the recording. We have few queries for LKM and AWS KMS. 

Local Key Manager (LKM) : In relation to the key management option 2 (using a KEK keypair managed in a HSM or KMS managed by customer):

 

Genesys have chosen to make this option available only if customer implement a proprietary API to support key management and decryption. Customer is looking that implementation of the API has been cited as a barrier to using this option.

 

Could we ask the reason why Genesys doesn't choose widely supported standard protocol already defined for this purpose; PKCS#11 instead of instead of implement a proprietary API to support key management and decryption.. 

AWS KMS Symmetric : This option including the use of the AWS KMS, give Genesys access to the longer-lived KEK private key. With this option Customer loose the ability to provide access to individual recordings. Customer is instead required to provide access to the KEK private key which permits access to a large number of recordings. This is not consistent with the principle of least privilege.

Do we know what Genesys stand on both of above queries.

#Security

------------------------------
Shishir Srivastava
Genesys Technical Design Architect
------------------------------

Hi Shishir,

With regards to requesting PKCS#11 as an option I would recommend raising a request on the Genesys Cloud Product Ideas Lab, that way it can be reviewed by product management and you will be able to track its progress.

I will look into getting you answers to your other questions

------------------------------
Sam Jillard
Online Community Manager/Moderator
Genesys - Employees
------------------------------

Original Message:
Sent: 03-03-2025 12:05
From: Shishir Srivastava
Subject: Recording encryption options available

We understand that Genesys support 3 options to encrypt the recording. We have few queries for LKM and AWS KMS. 

Local Key Manager (LKM) : In relation to the key management option 2 (using a KEK keypair managed in a HSM or KMS managed by customer):

 

Genesys have chosen to make this option available only if customer implement a proprietary API to support key management and decryption. Customer is looking that implementation of the API has been cited as a barrier to using this option.

 

Could we ask the reason why Genesys doesn't choose widely supported standard protocol already defined for this purpose; PKCS#11 instead of instead of implement a proprietary API to support key management and decryption.. 

AWS KMS Symmetric : This option including the use of the AWS KMS, give Genesys access to the longer-lived KEK private key. With this option Customer loose the ability to provide access to individual recordings. Customer is instead required to provide access to the KEK private key which permits access to a large number of recordings. This is not consistent with the principle of least privilege.

Do we know what Genesys stand on both of above queries.

#Security

------------------------------
Shishir Srivastava
Genesys Technical Design Architect
------------------------------