Enable end-to-end encryption #19
lebaudantoine
started this conversation in
Ideas
Replies: 2 comments 1 reply
-
|
If e2e encryption is enabled, how the Egress can record the meeting? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I would say recordings and end-to-end encryption should be mutually exclusive... at least until we introduce mutual e2e encryption for recordings? |
Beta Was this translation helpful? Give feedback.
-
|
I wanted to clarify that when talking about end-to-end encryption I was referring to Messaging Layer Security and not mTLS (which could also be interesting BTW 😄) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Feature Request
Is your feature request related to a problem or unsupported use case? Please describe.
LiveKit offers client-to-client encryption. In their demo app, you can enable end-to-end encryption based on a passphrase or key shared between clients and unknown to the LiveKit server.
End-to-end encryption was supported in the CS students' proof of concept (PoC).
Describe the solution you'd like
Not yet architected. Several potential solutions were mentioned by @sampaccoud :
Option 1:
The Django server generates a secret for each meeting room and shares it with clients when they request an access token to join a LiveKit room. Although the server knows the secret, LiveKit remains unaware of it, ensuring that no one can decrypt the communication between clients except our secure Django server.
Option 2:
When generating a new room URL, the client appends a randomly generated
#yourSecretPassphrase, which other clients recognize when navigating to the same URL. The client requests an access token to a room URL without passing the passphrase to the Django server.Option 3:
Allow users to set a custom passphrase through the client interface for highly secure and confidential meetings. Only the user and their user agent would choose and know the secret. Users would need to share the passphrase through a predefined channel (e.g., email, Tchap, oral communication, etc.)
Option 4:
Based on @sampaccoud's suggestion, use mutual TLS (mTLS) to exchange a secret passphrase between clients without exposing it to the Django server. While I am not an mTLS expert, this approach could securely manage the passphrase exchange, I have no clear idea which parts are involved and how works mTLS.
Beta Was this translation helpful? Give feedback.
All reactions