Skip to main content
C++
Java
Python
Go

Secure channel encryption

During real-time audio and video interactions, encrypting media streams ensures user data security. The Server Gateway offers a built-in encryption solution to safeguard your media streams effectively.

Implementation

Starting from version 3.8.200, Agora recommends using the AES_128_GCM2 or AES_256_GCM2 encryption modes with key and salt settings. Versions prior to 3.8.200 only support 128-bit SM4 in ECB mode.

Agora recommends using the AES_128_GCM2 or AES_256_GCM2 encryption mode and setting the key and salt.

info
  • Ensure all users in a channel use the same encryption mode, key, and salt.
  • The GCM2 encryption modes offer enhanced security with a stronger Key Derivation Function (KDF) and support for setting a salt. For other encryption modes, you only need to configure the encryption mode and key.

Generate and set the key

To generate and set the encryption key, refer to the following steps.

  1. To randomly generate a 32-byte encryption key in string format using OpenSSL on your server:


    _3
    # Randomly generate a 32-byte key in the string format, and pass the string key in the encryptionKey parameter of enableEncryption.
    _3
    openssl rand -hex 32
    _3
    dba643c8ba6b6dc738df43d9fd624293b4b12d87a60f518253bd10ba98c48453

  2. The client gets the string key from the server and passes it to the SDK in the enableEncryption method.

Generate and set the salt

To generate the salt:

  1. Randomly generate a Base64-encoded, 32-byte salt through OpenSSL on the server. Refer to the C++ sample code provided by Agora on GitHub to randomly generate a salt in the byte array format and convert it to Base64 on the server.


    _3
    # Randomly generate a 32-byte salt in the Base64 format. Convert the salt from Base64 to uint8_t, and pass the uint8_t salt in the encryptionKdfSalt parameter of enableEncryption.
    _3
    openssl rand -base64 32
    _3
    X5w9T+50kzxVOnkJKiY/lUk82/bES2kATOt3vBuGEDw=

  2. The client gets the Base64 salt from the server.

  3. The client converts the salt from Base64 to a uint8_t array of length 32, and then passes it to the SDK in the enableEncryption method.

Enable built-in encryption

Before connecting to a channel, call enableEncryption to enable built-in encryption. You also need to set the encryption mode and encryption key. All users connected to the same channel must use the same encryption mode and key.

Server Gateway