reference/client-sdk-cpp/e2ee_8h_source.html

/*

 * Copyright 2025 LiveKit

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an “AS IS” BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */


#pragma once


#include <cstdint>

#include <memory>

#include <optional>

#include <string>

#include <vector>


namespace livekit {


/* Encryption algorithm type used by the underlying stack.

 * Keep this aligned with your proto enum values. */

enum class EncryptionType {

  NONE = 0,

  GCM = 1,

  CUSTOM = 2,

};


/* Defaults (match other SDKs / Python defaults). */

inline constexpr const char *kDefaultRatchetSalt = "LKFrameEncryptionKey";

inline constexpr int kDefaultRatchetWindowSize = 16;

inline constexpr int kDefaultFailureTolerance = -1;


struct KeyProviderOptions {

  std::optional<std::vector<std::uint8_t>> shared_key;


  std::vector<std::uint8_t> ratchet_salt = std::vector<std::uint8_t>(

      kDefaultRatchetSalt, kDefaultRatchetSalt + std::char_traits<char>::length(

                                                     kDefaultRatchetSalt));


  int ratchet_window_size = kDefaultRatchetWindowSize;


  int failure_tolerance = kDefaultFailureTolerance;

};


struct E2EEOptions {

  KeyProviderOptions key_provider_options{};

  EncryptionType encryption_type = EncryptionType::GCM; // default & recommended

};


class E2EEManager {

public:


  class KeyProvider {

  public:

    ~KeyProvider() = default;


    KeyProvider(const KeyProvider &) = delete;

    KeyProvider &operator=(const KeyProvider &) = delete;

    KeyProvider(KeyProvider &&) noexcept = default;

    KeyProvider &operator=(KeyProvider &&) noexcept = default;


    const KeyProviderOptions &options() const;


    void setSharedKey(const std::vector<std::uint8_t> &key, int key_index = 0);


    std::vector<std::uint8_t> exportSharedKey(int key_index = 0) const;


    std::vector<std::uint8_t> ratchetSharedKey(int key_index = 0);


    void setKey(const std::string &participant_identity,

                const std::vector<std::uint8_t> &key, int key_index = 0);


    std::vector<std::uint8_t> exportKey(const std::string &participant_identity,

                                        int key_index = 0) const;


    std::vector<std::uint8_t>

    ratchetKey(const std::string &participant_identity, int key_index = 0);


  private:

    friend class E2EEManager;

    KeyProvider(std::uint64_t room_handle, KeyProviderOptions options);

    std::uint64_t room_handle_{0};

    KeyProviderOptions options_;

  };


  class FrameCryptor {

  public:

    FrameCryptor(std::uint64_t room_handle, std::string participant_identity,

                 int key_index, bool enabled);

    ~FrameCryptor() = default;

    FrameCryptor(const FrameCryptor &) = delete;

    FrameCryptor &operator=(const FrameCryptor &) = delete;

    FrameCryptor(FrameCryptor &&) noexcept = default;

    FrameCryptor &operator=(FrameCryptor &&) noexcept = default;


    const std::string &participantIdentity() const;

    int keyIndex() const;

    bool enabled() const;


    void setEnabled(bool enabled);


    void setKeyIndex(int key_index);


  private:

    std::uint64_t room_handle_{0};

    bool enabled_{false};

    std::string participant_identity_;

    int key_index_{0};

  };


  ~E2EEManager() = default;

  E2EEManager(const E2EEManager &) = delete;

  E2EEManager &operator=(const E2EEManager &) = delete;

  E2EEManager(E2EEManager &&) noexcept = delete;

  E2EEManager &operator=(E2EEManager &&) noexcept = delete;


  bool enabled() const;


  void setEnabled(bool enabled);


  KeyProvider *keyProvider();

  const KeyProvider *keyProvider() const;


  std::vector<E2EEManager::FrameCryptor> frameCryptors() const;


protected:

  explicit E2EEManager(std::uint64_t room_handle, const E2EEOptions &options);

  friend class Room;


private:

  std::uint64_t room_handle_{0};

  bool enabled_{false};

  E2EEOptions options_;

  KeyProvider key_provider_;

};


} // namespace livekit

livekit::E2EEManager::FrameCryptor
Definition e2ee.h:157

livekit::E2EEManager::FrameCryptor::setKeyIndex
void setKeyIndex(int key_index)
Sets the active key index for this participant cryptor.

livekit::E2EEManager::FrameCryptor::setEnabled
void setEnabled(bool enabled)
Enables or disables frame encryption/decryption for this participant.

livekit::E2EEManager::KeyProvider
Definition e2ee.h:117

livekit::E2EEManager::KeyProvider::exportSharedKey
std::vector< std::uint8_t > exportSharedKey(int key_index=0) const
Exports the shared key for a given key slot.

livekit::E2EEManager::KeyProvider::setKey
void setKey(const std::string &participant_identity, const std::vector< std::uint8_t > &key, int key_index=0)
Sets a key for a specific participant identity.

livekit::E2EEManager::KeyProvider::setSharedKey
void setSharedKey(const std::vector< std::uint8_t > &key, int key_index=0)
Sets the shared key for the given key slot.

livekit::E2EEManager::KeyProvider::options
const KeyProviderOptions & options() const
Returns the options used to initialize this KeyProvider.

livekit::E2EEManager::KeyProvider::exportKey
std::vector< std::uint8_t > exportKey(const std::string &participant_identity, int key_index=0) const
Exports a participant-specific key.

livekit::E2EEManager::KeyProvider::ratchetSharedKey
std::vector< std::uint8_t > ratchetSharedKey(int key_index=0)
Ratchets the shared key at key_index and returns the newly derived key.

livekit::E2EEManager::KeyProvider::ratchetKey
std::vector< std::uint8_t > ratchetKey(const std::string &participant_identity, int key_index=0)
Ratchets a participant-specific key and returns the new key.

livekit::E2EEManager
Definition e2ee.h:109

livekit::E2EEManager::enabled
bool enabled() const
Returns whether E2EE is currently enabled for this room at runtime.

livekit::E2EEManager::frameCryptors
std::vector< E2EEManager::FrameCryptor > frameCryptors() const
Retrieves the current list of frame cryptors from the underlying runtime.

livekit::E2EEManager::setEnabled
void setEnabled(bool enabled)

livekit::E2EEManager::keyProvider
KeyProvider * keyProvider()

livekit::Room
Definition room.h:97

livekit::E2EEOptions
Definition e2ee.h:87

livekit::KeyProviderOptions
Definition e2ee.h:50

livekit::KeyProviderOptions::shared_key
std::optional< std::vector< std::uint8_t > > shared_key
Definition e2ee.h:58

livekit::KeyProviderOptions::ratchet_salt
std::vector< std::uint8_t > ratchet_salt
Definition e2ee.h:63

livekit::KeyProviderOptions::ratchet_window_size
int ratchet_window_size
Controls how many previous keys are retained during ratcheting.
Definition e2ee.h:68

livekit::KeyProviderOptions::failure_tolerance
int failure_tolerance
Number of tolerated ratchet failures before reporting encryption errors.
Definition e2ee.h:71