Skip to main content

You are viewing Agora Docs forBetaproducts and features. Switch to Docs

Android
iOS
macOS
Web
Windows
Electron
Flutter
React Native
Python
React JS
Unity
Unreal Engine
Unreal (Blueprint)

Secure channel encryption

Media stream encryption refers to encrypting audio and video streams in an app using a unique key and salt controlled by the app developer. Encryption ensures that only the authorized users in a channel see and hear each other. Voice SDK provides built-in encryption methods that you can use to guarantee data confidentiality during transmission.

This article describes how to integrate Agora built-in media stream encryption into your app.

Understand the tech

The following figure illustrates the process of data transfer with media stream encryption enabled.

Best practice is to choose the AES_128_GCM2 or AES_256_GCM2 encryption mode and set a key and salt for enhanced security.

EncryptMediaStream

Prerequisites

Ensure that you have implemented the SDK quickstart in your project.

Implement media stream encryption

To add built-in media stream encryption to your app, refer to the following steps:

  1. Generate a key and salt on your server

    • To generate a random 32-byte hexadecimal key on your server as a string, refer to the following OpenSSL command:


      _2
      # Generate a 32-byte hexadecimal key
      _2
      openssl rand -hex 32

    • To generate a random Base64-encoded, 32-byte salt on your server, refer to the following OpenSSL command:


      _2
      # Generate a Base64-encoded, 32-byte salt
      _2
      openssl rand -base64 32

  1. Implement client-side logic

    1. Obtain a String key and Base64-encoded salt from the server.

    2. Convert the salt from Base64 to uint8_t.

    3. Before joining the channel, call enableEncryption to set the AES_128_GCM2 or AES_256_GCM2 encryption mode, and pass the key and salt to the SDK.

note
  • All users in a channel must use the same encryption mode, key, and salt. Discrepancies may lead to unexpected behavior, such as black screens or audio loss.
  • To ensure security, best practice is to use a new key and salt each time you enable media stream encryption.

To implement this logic, refer to the following code:


_31
import java.util.Base64;
_31
import io.agora.rtc2.RtcEngine;
_31
import io.agora.rtc2.internal.EncryptionConfig;
_31
_31
class Example
_31
{
_31
public bool enableEncryption(RtcEngine mRtcEngine) {
_31
if(mRtcEngine == null)
_31
return false;
_31
// Obtain the Base64 encoded salt from the server
_31
String encryptionKdfSaltBase64 = Server.getEncryptionKdfSaltBase64();
_31
// Obtain the String type key from the server
_31
String encryptionSecret = Server.getEncryptionSecret();
_31
if(encryptionKdfSaltBase64 == null || encryptionSecret == null)
_31
return false;
_31
_31
// Convert the Base64 encoded salt to uint8_t
_31
byte[] encryptionKdfSalt = Base64.getDecoder().decode(encryptionKdfSaltBase64);
_31
// Create an instance of EncryptionConfig
_31
EncryptionConfig config = new EncryptionConfig();
_31
// Set the encryption mode to AES_128_GCM2
_31
config.encryptionMode = EncryptionConfig.EncryptionMode.AES_128_GCM2;
_31
config.encryptionKey = encryptionSecret;
_31
// Copy the encryption KDF salt into the configuration
_31
System.arraycopy(encryptionKdfSalt, 0, config.encryptionKdfSalt, 0, config.encryptionKdfSalt.length);
_31
// Enable encryption using the configuration
_31
int result = mRtcEngine.enableEncryption(true, config);
_31
// Return true if result is 0
_31
return (result == 0); // Success
_31
}
_31
}

Information
To communicate with the Voice SDK for Web, convert the String type key mentioned in this document from Hex encoding format to the ASCII encoding format.

Reference

This section contains content that completes the information on this page, or points you to documentation that explains other aspects to this product.

Sample projects

Agora provides open-source sample projects for your reference. Download or view the source code for a more detailed example.

API reference

Voice Calling