Skip to main content

You are viewing Agora Docs forBeta products and features. Switch to Docs

  • Core Products

  • Add-Ons

  • Extensions Marketplace

Data encryption

Data encryption ensures that only the authorized users in a channel communicate with each other. This ensures that potential eavesdroppers cannot access sensitive and private information shared in a channel. While not every use case requires data encryption, Signaling provides built-in encryption methods that guarantee data confidentiality during transmission.

This page shows you how to integrate built-in data encryption into your app using Signaling.

Understand the tech

The following figure shows the call flow for the data encryption:

Encrypt data

All users in a channel must use the same encryption configuration to initiate agoraEngine and enable encryption before joining a channel. If you don’t have the correct configuration, you cannot decrypt channel content. Best practice is that your authentication system generates a new key and salt regularly.

Signaling provides security for user applications in the following ways:

  • Transport layer encryption: for data transmission between your app and Agora SD-RTN™.
  • Message encryption: each message is protected with end-to-end AES_256_GCM encryption protection.
  • Token authorization - time-based access access control strategy.

To ensure secure communication, your app uses the same SSL key and salt to encrypt and decrypt data in the channel. You use the key and salt to create an encryption configuration. Agora SD-RTN™ uses the encryption configuration to encrypt a stream and sends it to remote users. When the remote user receives the encrypted data stream, the remote app decrypts the data stream using the same salt and key.

If your app must be highly secure, or meet security compliance standards like HIPAA or SOC 2 type 2, use message-level encryption. For a higher levels combine TLS encryption with end-to-end AES encryption.

Prerequisites

To follow this page, you must have:

  • Installed the latest version of OpenSSL

Implement Agora data stream encryption

To implement data encryption, do the following:

Set encryption configuration

  1. Add a method to convert a hex string to ascii


    _11
    private fun toAscii(hexString: String): String {
    _11
    val output = StringBuilder()
    _11
    var i = 0
    _11
    while (i < hexString.length) {
    _11
    val str = hexString.substring(i, i + 2)
    _11
    val char = str.toInt(16).toChar()
    _11
    output.append(char)
    _11
    i += 2
    _11
    }
    _11
    return output.toString()
    _11
    }

  2. Add a method to convert a base64String to a ByteArray


    _4
    private fun toByteArray(base64String: String): ByteArray? {
    _4
    // Decode the Base64 string to a ByteArray
    _4
    return Base64.getDecoder().decode(base64String)
    _4
    }

  3. Create the encryption configuration object


    _5
    val encryptionConfig = RtmEncryptionConfig(
    _5
    encryptionMode,
    _5
    toAscii(encryptionKey),
    _5
    toByteArray(encryptionSalt)
    _5
    )

Apply the configuration to the Signaling Engine


_13
try {
_13
val rtmConfig = RtmConfig.Builder(appId, uid.toString())
_13
.presenceTimeout(config!!.optString("presenceTimeout").toInt())
_13
.useStringUserId(false)
_13
.eventListener(eventListener)
_13
.proxyConfig(proxyConfig) // Set proxy configuration
_13
.build()
_13
signalingEngine = RtmClient.create(rtmConfig)
_13
localUid = uid
_13
} catch (e: Exception) {
_13
notify(e.toString())
_13
return false
_13
}

Test data encryption

To test the data encryption functionality:

  1. Configure the project

    1. Open the file <samples-root>/signaling-manager/src/main/res/raw/config.json

    2. Set appId to the AppID of your project.

    3. Choose one of the following authentication methods:

      • Temporary token:
        1. Generate an RTM token using your uid.
        2. Set token to this value in config.json.
      • Authentication server:
        1. Setup an Authentication server
        2. In config.json, set:
          • token to an empty string.
          • serverUrl to the base URL for your token server. For example: https://agora-token-service-production-yay.up.railway.app.

    4. Create the encryption key and salt

      In a production environment, you retrieve the encryption key and salt from an authentication server. For this code example you generate these parameters locally.

      • Create the 32-byte encryption key with the following command:


        _1
        openssl rand -hex 32

      • Create the salt with the following command


        _1
        openssl rand -base64 32

        In config.json:

        1. Paste the key into the cipherKey variable.
        2. Paste the salt into the salt variable.
        3. Set encryptionMode to 1.

  2. Run the reference app

    1. In Android Studio, connect a physical Android device to your development machine.
    2. Click Run to start the app.
    3. A moment later you see the project installed on your device.

  3. Test data encryption

    Login to Signaling, then send and receive secure messages.

    Communication between your test devices is end-to-end encrypted. This prevents data from being read or secretly modified by anyone other than the true sender and recipient.

Reference

This section contains information that completes the information in this page, or points you to documentation that explains other aspects to this product.

Signaling