QMS Encryption Settings

Call Encryption

When regulations require call recordings to be encrypted, QMS provides this functionality as well as key management capabilities to make compliance as easy as possible. When call encryption is enabled, all recordings are encrypted using the AES-256 algorithm.

When designing a call recording system that requires encryption, there are a few important points to keep in mind.

  • Keys are protected by Microsoft DPAPI so that they are never stored in cleartext. This requires that the QMS services run under a domain service account rather than the default local system account. This must be manually configured after the installation of the software.
  • All key operations require two QMS administrators to be present. This includes: enabling encryption in QMS, backing up keys (each administrator will be able to back up half of the key onto a small USB device), and doing a re-key operation.

When playing back recordings in QMS, all media transferred across the network is always encrypted regardless of if call encryption has been enabled or not.

To conform to PCI Data Security Standards (DSS) regarding credit card numbers, the Quality Management Client can encrypt recording files. These files cannot be exported or played directly from the disk, but they can be played through the Quality Management Client UI. PCI-DSS requires that two people are each given a fragment of the encryption key, so that no individual can decrypt the data.

During the creation of an encryption key that meets PCI Data Security Standards, Quality Management requires two people with Administrator access to provide their Quality Management user name and password simultaneously.

The use of a dual component password is required to meet PCI Data Security Standards. It is not required for the purposes of encryption.

In order to ensure security, it is highly recommended that the encryption keys are changed on a yearly basis. Fifteen days before the current key reaches one year old, the Quality Management Client sends a message to the address in the Notifications section of this page, reminding the administrator to change the key. In the event that the current key is left in place for over a year, recordings will still be encrypted with this key.

Apart from setting Quality Management to encrypt recordings, you can also configure it to:

  • Not encrypt new recordings
  • Re-encrypt encrypted recordings using a new key
  • Decrypt encrypted recordings.

You have to configure a custom service account before you enable recording encryption.

Users with the Change System Settings permission in their Security Profile can edit the encryption settings.

To edit the encryption settings click the navigation icon and then click the General link from the administration sub-menu. The General tab displays. To set encryption, complete the following steps:

  1. In the Encryption section of the General tab, click the button. The Encryption dialog will display.

  1. The first administrator enters their credentials, then the second administrator enters theirs.
  2. As required, set:
    1. Enable Encryption - to create a new key and use it to encrypt new recordings and existing unencrypted recordings.
    2. Revoke Existing Keys - to decrypt existing encrypted recordings and then apply the Enable Encryption setting.
      1. Select the Revoke Existing Keys check box to re-encrypt existing encrypted recordings using the new key.

        2. If this is NOT set, a new key is not generated and no (re-)encryption takes place. Existing encrypted recordings are left encrypted with their original keys.

  1. Click OK.

      If you set Enable Encryption, a new key is generated and applied.

      For security, the Quality Management Suite Client splits the key data into halves, and you are prompted to save backups of these halves.

  2. In response to the prompt, click OK to save the first half.
  3. In response to the prompt, click OK to save the second half.
  4. Restart the Call Recording Service and Data Service for QMS to encrypt existing recording files.

Any changes you make to the encryption settings are applied by a background task; this may take an appreciable time if many recordings require processing. If the Call Recording Service is not running, record processing will be delayed.

Changing the Account Used by QMS (Optional)

When Quality Management Suite is installed its services (Call Recording Service and Data Service) are configured to run using the Local System account, which has full permissions. However, for better security the services should run from their own service account, which has only the permissions they require. Your organization's security requirements will dictate which account runs the Quality Management Services.

You must configure custom service accounts for Call Recording Service and Data Service before you enable recording encryption. To change the service accounts, complete the following steps:

For Call Recording Service:

  1. From Windows Start, select Administrative Tools.
  2. Double-click Services. The Services window displays.
  3. In the Services window, double-click a Call Recording Service to display its properties.
  4. On the Log On tab, select This account.
  5. Enter the name and password of the account the service should run as.
  6. Click OK.

For Data Service:

  1. From Windows Start, select Administrative Tools.
  2. Double-click Services. The Services window displays.
  3. In the Services window, double-click a Data Service to display its properties.
  4. On the Log On tab, select This account.
  5. Enter the name and password of the account the service should run as.
  6. Click OK.

Important Notes

  • If you are using a Remote SQL Server with Windows authentication hosting the QMS database, the Data Service domain account (the Custom Service Account) must have the proper SQL permissions.
  • If you are using DataService HA, the Domain user account for the DataService must have a Roaming profile so the same profile information is available at both DataServices.

See Also:

General Settings

Using the Key Management Tool

Upgrading with Encryption