Data encryption

Data encryption ensures that only the authorized users in a channel communicate with each other. This ensures that potential eavesdroppers cannot access sensitive and private information shared in a channel. While not every use case requires data encryption, Signaling provides built-in encryption methods that guarantee data confidentiality during transmission.

This page shows you how to integrate built-in data encryption into your app using Signaling.

The following figure shows the call flow for the data encryption:

All users in a channel must use the same encryption configuration to initiate agoraEngine and enable encryption before joining a channel. If you don’t have the correct configuration, you cannot decrypt channel content. Best practice is that your authentication system generates a new key and salt regularly.

Signaling provides security for user applications in the following ways:

• Transport layer encryption: for data transmission between your app and Agora SD-RTN™.
• Message encryption: each message is protected with end-to-end AES_256_GCM encryption protection.
• Token authorization - time-based access access control strategy.

To ensure secure communication, your app uses the same SSL key and salt to encrypt and decrypt data in the channel. You use the key and salt to create an encryption configuration. Agora SD-RTN™ uses the encryption configuration to encrypt a stream and sends it to remote users. When the remote user receives the encrypted data stream, the remote app decrypts the data stream using the same salt and key.

If your app must be highly secure, or meet security compliance standards like HIPAA or SOC 2 type 2, use message-level encryption. For a higher levels combine TLS encryption with end-to-end AES encryption.

To follow this page, you must have:

• Setup the Signaling SDK reference app.

• Installed the latest version of OpenSSL

To implement data encryption, do the following:

1. Add the required imports

   In /app/java/com.example.<projectname>/MainActivity, add the following imports after the last import statement:

   
   

   _2

   import io.agora.rtc2.internal.EncryptionConfig;

   _2

   import java.util.Base64;

   
   

   Base64 requires that you set the Min SDK Version property in your project to 26 or higher.

2. Add the required variables

   In /app/java/com.example.<projectname>/MainActivity, add the following declarations to MainActivity class:

   
   

   _7

   // In a production environment, you retrieve the key and salt from

   _7

   // an authentication server. For this code example you generate them locally.

   _7

   _7

   // A 32-byte string for encryption.

   _7

   private String encryptionKey = "";

   _7

   // A 32-byte string in Base64 format for encryption.

   _7

   private String encryptionSaltBase64 = "";

   
   

3. Add the media stream encryption method

   To enable media stream encryption in your app, create an EncryptionConfig object and specify a key, salt, and encryption mode. Call enableEncryption and pass the EncryptionConfig object as a parameter.

   In /app/java/com.example.<projectname>/MainActivity, add the following method to MainActivity class:

   
   

   _19

   public void enableEncryption()

   _19

   {

   _19

   if(encryptionSaltBase64 == null || encryptionKey == null)

   _19

   return;

   _19

   // Convert the salt string into bytes

   _19

   byte[] encryptionSalt = Base64.getDecoder().decode(encryptionSaltBase64);

   _19

   // An object to specify encryption configuration.

   _19

   EncryptionConfig config = new EncryptionConfig();

   _19

   // Specify an encryption mode.

   _19

   config.encryptionMode = EncryptionConfig.EncryptionMode.AES_128_GCM2;

   _19

   // Set secret key and salt.

   _19

   config.encryptionKey = encryptionKey;

   _19

   System.arraycopy(encryptionSalt, 0, config.encryptionKdfSalt, 0, config.encryptionKdfSalt.length);

   _19

   // Call the method to enable media encryption.

   _19

   if(agoraEngine.enableEncryption(true, config) == 0)

   _19

   {

   _19

   Toast.makeText(getApplicationContext(), "Media encryption enabled", Toast.LENGTH_SHORT).show();

   _19

   }

   _19

   }

   
   

4. Start encryption before joining a channel

   In /app/java/com.example.<projectname>/MainActivity, add the following code at the end of SetupVideoSDKEngine:

   
   

   _1

   enableEncryption();

   
   

To test this functionality:

1. Create the cypher key and salt

   1. Create the 32-byte key with the following command:

      
      

      _1

      openssl rand -hex 32

      
      

   2. Create the 64-byte salt with the following command

      
      

      _1

      openssl rand -base64 32

      
      

2. Configure data encryption

   In <samples-root>/src/signaling_manager/config.json:

   1. Paste the -hex 32 key into the cipherKey variable.

   2. Paste the salt from the -base64 32 call into the salt variable.

   3. Set encryptionMode to 1.

3. Set the APP ID

   In agora-manager/res/raw/config.json, set appId to the AppID of your project.

4. Set the authentication method

   Choose one of the following authentication methods:

   • Temporary token:
     1. Set rtcToken with the value of your temporary token.
     2. Set channelName - with the name of a channel you used to create the token.
   • Authentication server:
     1. Setup an Authentication server
     2. In config.json, set:
        • channelName with the name of a channel you want to join.
        • rtcToken to an empty string.
        • serverUrl to the base URL of your authentication server. For example, https://agora-token-service-production-1234.up.railway.app.

5. Start the Android reference app

   1. In Android Studio, connect a physical Android device to your development machine.

   2. Click Run to start the app.

      A moment later you see the project installed on your device. If this is the first time you run the project, you need to grant microphone and camera access to your app.

4. Test data encryption

   Login to Signaling as multiple users, then send and receive secure messages.

4. In Android Studio, in app/java/com.example.\<projectname>/MainActivity, update appId, channelName and token with the values for your temporary token.

5. Connect a physical Android device to your development machine.

6. In Android Studio, click Run app. You see the app running on your device.

   If this is the first time you run your app, grant microphone and camera access.

7. Copy and install the apk for your app on a second Android test device.

8. Press Join on both Android devices to join the same channel.

You see the local and remote videos on the two devices.

Communication between your test devices is end-to-end encrypted. This prevents data from being read or secretly modified by anyone other than the true sender and recipient.

This section contains information that completes the information in this page, or points you to documentation that explains other aspects to this product.

• enableEncryption
• EncryptionConfig