Media Stream Encryption
To improve data security, Agora supports encrypting users' media streams during real-time engagement. You can choose from the following encryption options according to your needs:
- Built-in encryption: Use the preset encryption mode in the SDK to encrypt the media streams.
- Customized encryption: Use the packet observer provided by the SDK to customize the encryption mode of media streams.
The following diagram describes the encrypted data transmission process:
Agora provides an open-source sample project that implements built-in encryption on GitHub. You can try the demo and view the source code.
Before enabling media-stream encryption, ensure that you refer to the appropriate Quickstart Guide to implement the basic real-time communication functions in your project.
Use the built-in encryption
Before joining a channel, call
enableEncryption to enable the built-in encryption.
As of v3.4.5, Agora recommends using the
AES_256_GCM2 encryption mode and setting the key and salt.
To generate and set the
salt parameters, refer to the following steps.
GCM2encryption modes use a more secure KDF (Key Derivation Function) and support setting the salt. If you choose other encryption modes, you only need to set the encryption mode and key.
Generate and set the key
- Refer to the following command to randomly generate a 32-byte key in the string format through OpenSSL on your server.
- The client gets the
keyin the string format from the server and passes it to the SDK in the
Generate and set the salt
- Refer to the following command to randomly generate a Base64-encoded, 32-byte salt through OpenSSL on the server. You can also refer to the C++ sample code provided by Agora on GitHub to randomly generate a salt in the byte array format and convert it to Base64 on the server.
The client gets the Base64 salt from the server.
The client decodes the salt value from Base64 encoding to a byte of length 32, and then passes it to the SDK in the
Use the customized encryption
To implement the customized encryption, use
IPacketObserver class and
registerPacketObserver in C++ as follows:
Before joining a channel, call
registerPacketObserverto register the packet observer, so that you can receive events during audio or video packet transmission.
IPacketObserverclass and use your customized encryption algorithm on your app.
Implement a Java wrapper. You can refer to the following example:
registerAgoraPacketObserverimplemented in step 4 to register the
registerPacketObserver(nullptr)method after leaving the channel.
- Both the communication and interactive live streaming scenarios support encryption, but Agora does not support pushing encrypted streams to the CDN during live streaming.
- To use media-stream encryption, you need to enable encryption before joining a channel. Ensure that both the receivers and senders use the same encryption mode; otherwise, undefined behaviors such as a black screen or audio loss occur.
- To enhance security, Agora recommends using a new key and salt every time you enable media-stream encryption.