Media encryption in Group Rooms
Media shared in Group Rooms is encrypted during transport to Twilio, is briefly decrypted in memory in Twilio's cloud, and is immediately re-encrypted before being sent to other Participants. Decrypted media is not written to any persistent storage or sent across the network.
Each Participant in a Group Room negotiates its own DTLS/SRTP connection to Twilio's media servers, and all media published to or subscribed from the Room is transported through this secure connection.
Media is encrypted at the sender. Once arriving to the media server, each Participant's media is briefly decrypted before being re-encrypted and sent out to other Participants. WebRTC requires this, as it does not allow the negotiation of a single set of DTLS keys between more than two peers.
All decryption and re-encryption happens in a single media server process in Twilio's cloud. A separate process is created for each Room.
If recording is disabled, unencrypted media is never written to disk or any other kind of persistent storage, and is never sent across the network. Unencrypted media only stays in memory for short periods of time, and is only accessible to the specific media process performing the decryption.
Media encryption in Peer-to-Peer and WebRTC Go Rooms
Media shared in Peer-to-Peer and WebRTC Go Rooms is encrypted end-to-end and can never be accessed by Twilio.
Each Participant in a Peer-to-Peer or WebRTC Go Room negotiates a separate DTLS/SRTP connection to every other participant. All media published to or subscribed from the Room is sent over these secure connections, and is encrypted only at the sender and decrypted only at the receiver.
Network Traversal Service TURN cannot decrypt media: TURN only routes the packet between peers.
For current media security information, please review Programmable Video Media Security documentation.