Secure channel encryption
During real-time audio and video interactions, encrypting media streams ensures user data security. The Server Gateway offers a built-in encryption solution to safeguard your media streams effectively.
Implementation
Starting from version 3.8.200, Agora recommends using the AES_128_GCM2
or AES_256_GCM2
encryption modes with key and salt settings. Versions prior to 3.8.200 only support 128-bit SM4 in ECB mode.
Agora recommends using the AES_128_GCM2
or AES_256_GCM2
encryption mode and setting the key and salt.
- Ensure all users in a channel use the same encryption mode, key, and salt.
- The
GCM2
encryption modes offer enhanced security with a stronger Key Derivation Function (KDF) and support for setting a salt. For other encryption modes, you only need to configure the encryption mode and key.
Generate and set the key
To generate and set the encryption key
, refer to the following steps.
-
To randomly generate a 32-byte encryption key in string format using OpenSSL on your server:
-
The client gets the string
key
from the server and passes it to the SDK in theenableEncryption
method.
Generate and set the salt
To generate the salt
:
-
Randomly generate a Base64-encoded, 32-byte salt through OpenSSL on the server. Refer to the C++ sample code provided by Agora on GitHub to randomly generate a salt in the byte array format and convert it to
Base64
on the server. -
The client gets the
Base64
salt from the server. -
The client converts the salt from
Base64
to auint8_t
array of length 32, and then passes it to the SDK in theenableEncryption
method.
Enable built-in encryption
Before connecting to a channel, call enableEncryption
to enable built-in encryption. You also need to set the encryption mode and encryption key. All users connected to the same channel must use the same encryption mode and key.