To improve data security, Agora supports encrypting media streams during real-time engagement.
Agora Cloud Gateway supports built-in encryption methods.
Before enabling media-stream encryption, ensure that you have implemented the basic real-time communication functions in your project.
Agora recommends using the AES_128_GCM2
or AES_256_GCM2
encryption mode and setting the key and salt.
To generate and set the key
and salt
parameters, refer to the following steps.
GCM2
encryption modes use a more secure KDF (Key Derivation Function) and support setting the salt. If you choose other encryption modes, you only need to set the encryption mode and key.Refer to the following command to randomly generate a 32-byte key in the string format through OpenSSL on your server.
# Randomly generate a 32-byte key in the string format, and pass the string key in the encryptionKey parameter of enableEncryption.
openssl rand -hex 32
dba643c8ba6b6dc738df43d9fd624293b4b12d87a60f518253bd10ba98c48453
The client gets the key
in the string format from the server and passes it to the SDK in the enableEncryption
method.
Refer to the following command to randomly generate a Base64-encoded, 32-byte salt through OpenSSL on the server. You can also refer to the C++ sample code provided by Agora on GitHub to randomly generate a salt in the byte array format and convert it to Base64 on the server.
# Randomly generate a 32-byte salt in the Base64 format. Convert the salt from Base64 to uint8_t, and pass the uint8_t salt in the encryptionKdfSalt parameter of enableEncryption.
openssl rand -base64 32
X5w9T+50kzxVOnkJKiY/lUk82/bES2kATOt3vBuGEDw=
The client gets the Base64 salt from the server.
The client converts the salt from Base64 to byte[], and then passes it to the SDK in the enableEncryption
method.
enableEncryption
to enable built-in encryptionBefore connecting to a channel, call enableEncryption
to enable built-in encryption. You also need to set encryption mode and encryption key. All users connected to the same channel must use the same encryption mode and key.
// Create EncryptionConfig object
agora::rtc::EncryptionConfig Config;
// 256-bit AES, GCM2 mode
Config.encryptionMode = agora::rtc::AES_256_GCM2;
// Set encryption key
Config.encryptionKey = options.encryptionKey.c_str();
// Set encryption salt
Config.encryptionKdfSalt = options.encryptionKdfSalt;
// Enable built-in encryption
if (connection->enableEncryption(options.encryptionMode, Config) < 0) {
AG_LOG(ERROR, "Failed to enable encryption!");
}
AG_LOG(INFO, "Enable encryption successfully");