AWS Wickr

A service providing secure messaging, calling, and file sharing with end-to-end encryption, featuring automatic message expiration and compliance data retention

Overview

AWS Wickr is an end-to-end encrypted communication service that provides secure messaging, voice and video calling, and file sharing for enterprise use. Messages are encrypted on the sender's device and can only be decrypted by intended recipients, with AWS having no ability to access message content. Configurable message expiration automatically deletes messages after a set time, while compliance features enable designated data retention for regulatory requirements.

End-to-End Encryption and Message Lifecycle

Wickr implements end-to-end encryption using a multi-layered protocol where each message is encrypted with a unique key. The encryption occurs on the sender's device before transmission, and decryption happens only on recipient devices. AWS infrastructure transports encrypted ciphertext without the ability to decrypt content. Each message has a configurable expiration timer (burn-on-read or timed expiration) after which it is cryptographically deleted from all devices. The key management system uses ephemeral keys that are regularly rotated, providing forward secrecy - compromising a current key does not expose past messages. File attachments are encrypted with the same end-to-end model, with large files chunked and individually encrypted. Message delivery confirmation and read receipts are available while maintaining the encryption guarantees.

Administrator Controls and Compliance Data Retention

Enterprise administrators configure organization-wide policies including minimum message expiration times, allowed file types and sizes, external communication permissions, and device management requirements. The compliance data retention feature enables designating a compliance bot that receives copies of messages for regulatory archival. This bot stores encrypted message copies in an organization-controlled S3 bucket, satisfying requirements like SEC 17a-4, HIPAA, and FINRA record-keeping rules. Administrators can enforce device-level controls such as requiring screen lock, prohibiting screenshots, and mandating app-level PIN protection. User provisioning integrates with existing identity providers through SAML/OIDC, enabling automated onboarding and offboarding aligned with HR processes. Audit logs track administrative actions and policy changes without exposing message content.

Bot Integration and Operational Automation

Wickr bots enable integrating automated workflows into secure communication channels. Bots can receive messages, process commands, and respond with information from external systems while maintaining end-to-end encryption for human-to-human messages. Common bot use cases include security alert forwarding (receiving CloudWatch alarms in Wickr channels), approval workflows (requesting and granting access through secure messages), and information retrieval (querying internal systems through chat commands). Bots are built using the Wickr Bot SDK and run as containerized applications, deployable on ECS or Lambda. Integration with Step Functions enables complex multi-step workflows triggered by Wickr messages. For incident response, dedicated Wickr rooms with relevant team members and automated bots provide a secure communication channel that persists only for the duration of the incident.

ShareXB!