SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Media encryption with Twilio Programmable Video

Media encryption in Group Rooms

Media shared in Group Rooms is encrypted during transport to Twilio, is briefly decrypted in memory in Twilio's cloud, and is immediately re-encrypted before being sent to other Participants. Decrypted media is not written to any persistent storage or sent across the network.

Each Participant in a Group Room negotiates its own DTLS/SRTP connection to Twilio's media servers, and all media published to or subscribed from the Room is transported through this secure connection.

Media is encrypted at the sender. Once arriving to the media server, each Participant's media is briefly decrypted before being re-encrypted and sent out to other Participants. WebRTC requires this, as it does not allow the negotiation of a single set of DTLS keys between more than two peers.

All decryption and re-encryption happens in a single media server process in Twilio's cloud. A separate process is created for each Room.

If recording is disabled, unencrypted media is never written to disk or any other kind of persistent storage, and is never sent across the network. Unencrypted media only stays in memory for short periods of time, and is only accessible to the specific media process performing the decryption.

Media encryption in Peer-to-Peer and WebRTC Go Rooms

Media shared in Peer-to-Peer and WebRTC Go Rooms is encrypted end-to-end and can never be accessed by Twilio.

Each Participant in a Peer-to-Peer or WebRTC Go Room negotiates a separate DTLS/SRTP connection to every other participant. All media published to or subscribed from the Room is sent over these secure connections, and is encrypted only at the sender and decrypted only at the receiver.

Network Traversal Service TURN cannot decrypt media: TURN only routes the packet between peers.

 

For current media security information, please review Programmable Video Media Security documentation.

 

Have more questions? Submit a request
Powered by Zendesk