Secure channel encryption

Media stream encryption refers to encrypting audio and video streams in an app using a unique key and salt controlled by the app developer. Encryption ensures that only the authorized users in a channel see and hear each other. Video SDK provides built-in encryption methods that you can use to guarantee data confidentiality during transmission.

This article describes how to integrate Agora built-in media stream encryption into your app.

The following figure illustrates the process of data transfer with media stream encryption enabled.

Best practice is to choose the AES_128_GCM2 or AES_256_GCM2 encryption mode and set a key and salt for enhanced security.

Ensure that you have implemented the SDK quickstart in your project.

To add built-in media stream encryption to your app, refer to the following steps:

1. Generate a key and salt on your server

   • To generate a random 32-byte hexadecimal key on your server as a string, refer to the following OpenSSL command:

     
     

     _2

     # Generate a 32-byte hexadecimal key

     _2

     openssl rand -hex 32

     
     

   • To generate a random Base64-encoded, 32-byte salt on your server, refer to the following OpenSSL command:

     
     

     _2

     # Generate a Base64-encoded, 32-byte salt

     _2

     openssl rand -base64 32

     
     

2. Implement client-side logic

   1. Obtain a String key and Base64-encoded salt from the server.

   2. Convert the salt from Base64 to uint8_t.

   3. Before joining the channel, call enableEncryption to set the AES_128_GCM2 or AES_256_GCM2 encryption mode, and pass the key and salt to the SDK.

note

• All users in a channel must use the same encryption mode, key, and salt. Discrepancies may lead to unexpected behavior, such as black screens or audio loss.
• To ensure security, best practice is to use a new key and salt each time you enable media stream encryption.

To implement this logic, refer to the following code:

_31

import java.util.Base64;

_31

import io.agora.rtc2.RtcEngine;

_31

import io.agora.rtc2.internal.EncryptionConfig;

_31

_31

class Example

_31

{

_31

public bool enableEncryption(RtcEngine mRtcEngine) {

_31

if(mRtcEngine == null)

_31

return false;

_31

// Obtain the Base64 encoded salt from the server

_31

String encryptionKdfSaltBase64 = Server.getEncryptionKdfSaltBase64();

_31

// Obtain the String type key from the server

_31

String encryptionSecret = Server.getEncryptionSecret();

_31

if(encryptionKdfSaltBase64 == null || encryptionSecret == null)

_31

return false;

_31

_31

// Convert the Base64 encoded salt to uint8_t

_31

byte[] encryptionKdfSalt = Base64.getDecoder().decode(encryptionKdfSaltBase64);

_31

// Create an instance of EncryptionConfig

_31

EncryptionConfig config = new EncryptionConfig();

_31

// Set the encryption mode to AES_128_GCM2

_31

config.encryptionMode = EncryptionConfig.EncryptionMode.AES_128_GCM2;

_31

config.encryptionKey = encryptionSecret;

_31

// Copy the encryption KDF salt into the configuration

_31

System.arraycopy(encryptionKdfSalt, 0, config.encryptionKdfSalt, 0, config.encryptionKdfSalt.length);

_31

// Enable encryption using the configuration

_31

int result = mRtcEngine.enableEncryption(true, config);

_31

// Return true if result is 0

_31

return (result == 0); // Success

_31

}

_31

}

Information

To communicate with the Video SDK for Web, convert the String type key mentioned in this document from Hex encoding format to the ASCII encoding format.

This section contains content that completes the information on this page, or points you to documentation that explains other aspects to this product.

Agora provides open-source sample projects for your reference. Download or view the source code for a more detailed example.

• ChannelEncryption

• enableEncryption
• EncryptionConfig