Skip to main content

Secure channel encryption

To improve data security, Agora supports encrypting media streams during real-time engagement.

Agora Server Gateway supports built-in encryption methods.

Implementation

Before enabling media-stream encryption, ensure that you have implemented the basic real-time communication functions in your project.

Agora recommends using the AES_128_GCM2 or AES_256_GCM2 encryption mode and setting the key and salt.

To generate and set the key and salt parameters, refer to the following steps.

  • All users in a channel must use the same encryption mode, key, and salt.
  • Compared to other encryption modes, the GCM2 encryption modes use a more secure KDF (Key Derivation Function) and support setting the salt. If you choose other encryption modes, you only need to set the encryption mode and key.
  • Generate and set the key

    1. Refer to the following command to randomly generate a 32-byte key in the string format through OpenSSL on your server.

    _3
    # Randomly generate a 32-byte key in the string format, and pass the string key in the encryptionKey parameter of enableEncryption.
    _3
    openssl rand -hex 32
    _3
    dba643c8ba6b6dc738df43d9fd624293b4b12d87a60f518253bd10ba98c48453

    1. The client gets the key in the string format from the server and passes it to the SDK in the enableEncryption method.

    Generate and set the salt

    1. Refer to the following command to randomly generate a Base64-encoded, 32-byte salt through OpenSSL on the server. You can also refer to the C++ sample code provided by Agora on GitHub to randomly generate a salt in the byte array format and convert it to Base64 on the server.

    _3
    # Randomly generate a 32-byte salt in the Base64 format. Convert the salt from Base64 to uint8_t, and pass the uint8_t salt in the encryptionKdfSalt parameter of enableEncryption.
    _3
    openssl rand -base64 32
    _3
    X5w9T+50kzxVOnkJKiY/lUk82/bES2kATOt3vBuGEDw=

    1. The client gets the Base64 salt from the server.

    2. The client converts the salt from Base64 to byte[], and then passes it to the SDK in the enableEncryption method.

    Call enableEncryption to enable built-in encryption

    Before connecting to a channel, call enableEncryption to enable built-in encryption. You also need to set encryption mode and encryption key. All users connected to the same channel must use the same encryption mode and key.