Skip to main content

  • Core Products

  • Add-Ons

  • Extensions Marketplace

Secure channel encryption

Media stream encryption ensures that only the authorized users in a channel can see and hear each other. This ensures that potential eavesdroppers cannot access sensitive and private information shared in a channel. While not every use case requires media stream encryption, Video Calling provides built-in encryption methods that guarantee data confidentiality during transmission.

This page shows you how to integrate built-in media stream encryption into your app using Video Calling.

Understand the tech

To ensure secure communication, your app uses the same SSL key and salt to encrypt and decrypt data in the channel. You use the key and salt to create an encryption configuration. Agora SD-RTN™ uses the encryption configuration to encrypt a stream and sends it to remote users. When the remote user receives the encrypted media stream, the remote app decrypts the media stream using the same salt and key.

The following figure shows the call flow for the media stream encryption:

Encrypt media stream

All users in a channel must use the same encryption configuration to initiate agoraEngine and enable encryption before joining a channel. If you don’t have the correct configuration, you cannot decrypt channel content. Best practice is that your authentication system generates a new key and salt regularly.

Prerequisites

To follow this procedure you must have:

Project setup

To encrypt the media streams in your app, you need to:

  • Open the SDK quickstart Video Calling project you created previously.

  • Set up OpenSSL in your development device.

Implement Agora media stream encryption

To implement media stream encryption, do the following:

  1. Add the required variables

    Add the following declarations to the top of the ViewController class:

    // In a production environment, you retrieve the key and salt from
    // an authentication server. For this code example you generate locally.

    // A 32-byte string for encryption.
    var encryptionKey = ""
    // A 32-byte string in Base64 format for encryption.
    var encryptionSaltBase64 = ""
    Copy

  2. Add the media stream encryption method

    To enable media stream encryption in your app, create an AgoraEncryptionConfig object and specify a key, salt, and encryption mode. Call enableEncryption and pass the EncryptionConfig object as a parameter.

    In ViewController class, add the following function:

    func enableEncryption() {
    // Convert the salt string in the Base64 format into bytes
    let encryptionSalt: Data = Data(base64Encoded: encryptionSaltBase64, options: .ignoreUnknownCharacters)!

    // An object to specify encryption configuration.
    let config = AgoraEncryptionConfig()

    // Specify an encryption mode.
    config.encryptionMode = AgoraEncryptionMode.AES128GCM2
    // Set secret key and salt.
    config.encryptionKey = encryptionKey
    config.encryptionKdfSalt = encryptionSalt

    // Call the method to enable media encryption.
    if (agoraEngine.enableEncryption(true, encryptionConfig: config) == 0) {
    print("Media encryption enabled.")
    }
    }
    Copy

  3. Start encryption before joining a channel

    Add the following line to the end of initializeAgoraEngine function:

    enableEncryption()
    Copy

Test your implementation

To ensure that you have implemented Agora media stream encryption in your app:

  1. Add the 32-byte key to your app

    1. Run the following command in a terminal window:

      openssl rand -hex 32
      Copy

    2. Paste the key returned into the encryptionKey variable.

  2. Add the 64-byte salt to your app

    1. Run the following command in a terminal window:

      openssl rand -base64 32
      Copy

    2. Paste the salt returned into the encryptionSaltBase64 variable.

  3. Generate a token in Agora Console.

  1. In Xcode, in ViewController, update appID, channelName and token with the values for your temporary token.

  2. Run your app, then wait a few seconds until the installation is complete.

    If this is the first time you run the project, grant microphone and camera access to your app.

    If you use an iOS simulator, you see the remote video only. You cannot see the local video stream because of Apple simulator hardware restrictions.

  1. Click Join to start a call. Now, you can see yourself on the test device and talk to the web demo app using your app.

Communication between your test devices is end-to-end encrypted. This prevents data from being read or secretly modified by anyone other than the true sender and recipient.

Reference

This section contains information that completes the information in this page, or points you to documentation that explains other aspects to this product.

Page Content

Video Calling