Secure channel encryption
Media stream encryption ensures that only authorized users in a channel see and hear each other. Encryption prevents potential eavesdroppers from accessing sensitive and private information shared in a channel. IoT SDK provides built-in encryption methods that you can use to guarantee data confidentiality during transmission, when required.
This page shows you how to integrate media stream encryption into your app using IoT SDK.
Understand the tech
To ensure secure communication, your app uses an SSL key and a salt to encrypt and decrypt data in the channel. You use the key and salt to create an encryption configuration. Agora SD-RTN™ uses the encryption configuration to encrypt a stream and sends it to remote users. When a remote user receives an encrypted media stream, the remote app decrypts it using the same salt and key.
The following figure shows the call flow for media stream encryption:
All users in a channel must use the same encryption configuration. You set this up when you initiate the Agora Engine and enable encryption before joining a channel. If you don’t have the correct configuration, you cannot decrypt channel content. Best practice is to have your authentication system generate a new key and salt regularly.
IoT SDK supports the following encryption modes:
- AES-128-GCM2 (recommended)
- AES-256-GCM2 (recommended)
Compared to other encryption modes, GCM2 encryption uses a more secure key derivation function and supports salt. If you choose another encryption mode, you only need to set the encryption mode and key.
To follow this procedure you must have:
Implemented the SDK quickstart project for IoT SDK.
OpenSSL v3.0.0 or above.
To encrypt media streams in your app, you need to:
- Open the SDK quickstart IoT SDK project you created previously.
- Set up OpenSSL on your development device.
Implement Agora media stream encryption
To implement media stream encryption, do the following:
Add variables to hold the encryption key and salt
/app/java/com.example.<projectname>/MainActivity, add the following declarations to the
To enable encryption, you set
channelOptions. Add the following line after
channelOptions.autoSubscribeVideo = true;in
Set encryption parameters
You specify the media stream encryption mode and the related parameters in JSON format by calling
setParams. Depending on your choice of an encryption method, add one of the following pieces of code to
To disable encryption, use the following code:
Test your implementation
To ensure that you have implemented Agora media stream encryption in your app:
Add the 32-byte key to your app:
Run the following command in a terminal window:
Paste the key string returned into the
Add the 64-byte salt to your app:
Run the following command in your terminal window:
Paste the salt string returned into the
Generate a temporary token in Agora Console.
In Android Studio, in
tokenwith the values for your temporary token.
Connect a physical Android device to your development machine.
In Android Studio, click Run app. You see the app running on your device.
If this is the first time you run your app, grant microphone and camera access.
Copy and install the
apkfor your app on a second Android test device.
Press Join on both Android devices to join the same channel.
You see remote videos on the two devices.
Communication between your test devices is now end-to-end encrypted. This prevents data from being read or secretly modified by anyone other than the true sender and recipient.
This section contains information that completes the information in this page, or points you to documentation that explains other aspects to this product.