reference/client-sdk-cpp/e2ee_8h_source.html

/*

 * Copyright 2025 LiveKit

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an “AS IS” BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */


#pragma once


#include <cstdint>

#include <memory>

#include <optional>

#include <string>

#include <vector>


#include "livekit/visibility.h"


namespace livekit {


enum class EncryptionType {

  NONE = 0,

  GCM = 1,

  CUSTOM = 2,

};


enum class KeyDerivationFunction {

  PBKDF2 = 0,

  HKDF = 1,

};


inline constexpr const char* kDefaultRatchetSalt = "LKFrameEncryptionKey";

inline constexpr int kDefaultRatchetWindowSize = 16;

inline constexpr int kDefaultFailureTolerance = -1;

inline constexpr int kDefaultKeyRingSize = 16;

inline constexpr KeyDerivationFunction kDefaultKeyDerivationFunction = KeyDerivationFunction::PBKDF2;


struct KeyProviderOptions {

  std::optional<std::vector<std::uint8_t>> shared_key;


  std::vector<std::uint8_t> ratchet_salt = std::vector<std::uint8_t>(

      kDefaultRatchetSalt, kDefaultRatchetSalt + std::char_traits<char>::length(kDefaultRatchetSalt));


  int ratchet_window_size = kDefaultRatchetWindowSize;


  int failure_tolerance = kDefaultFailureTolerance;


  int key_ring_size = kDefaultKeyRingSize;


  KeyDerivationFunction key_derivation_function = kDefaultKeyDerivationFunction;

};


struct E2EEOptions {

  KeyProviderOptions key_provider_options{};

  EncryptionType encryption_type = EncryptionType::GCM; // default & recommended

};


class LIVEKIT_API E2EEManager {

public:


  class LIVEKIT_API KeyProvider {

  public:

    ~KeyProvider() = default;


    KeyProvider(const KeyProvider&) = delete;

    KeyProvider& operator=(const KeyProvider&) = delete;

    KeyProvider(KeyProvider&&) noexcept = default;

    KeyProvider& operator=(KeyProvider&&) noexcept = default;


    const KeyProviderOptions& options() const;


    void setSharedKey(const std::vector<std::uint8_t>& key, int key_index = 0);


    std::vector<std::uint8_t> exportSharedKey(int key_index = 0) const;


    std::vector<std::uint8_t> ratchetSharedKey(int key_index = 0);


    void setKey(const std::string& participant_identity, const std::vector<std::uint8_t>& key, int key_index = 0);


    std::vector<std::uint8_t> exportKey(const std::string& participant_identity, int key_index = 0) const;


    std::vector<std::uint8_t> ratchetKey(const std::string& participant_identity, int key_index = 0);


  private:

    friend class E2EEManager;

    KeyProvider(std::uint64_t room_handle, KeyProviderOptions options);

    std::uint64_t room_handle_{0};

    KeyProviderOptions options_;

  };


  class LIVEKIT_API FrameCryptor {

  public:

    FrameCryptor(std::uint64_t room_handle, std::string participant_identity, int key_index, bool enabled);

    ~FrameCryptor() = default;

    FrameCryptor(const FrameCryptor&) = delete;

    FrameCryptor& operator=(const FrameCryptor&) = delete;

    FrameCryptor(FrameCryptor&&) noexcept = default;

    FrameCryptor& operator=(FrameCryptor&&) noexcept = default;


    const std::string& participantIdentity() const;

    int keyIndex() const;

    bool enabled() const;


    void setEnabled(bool enabled);


    void setKeyIndex(int key_index);


  private:

    std::uint64_t room_handle_{0};

    bool enabled_{false};

    std::string participant_identity_;

    int key_index_{0};

  };


  ~E2EEManager() = default;

  E2EEManager(const E2EEManager&) = delete;

  E2EEManager& operator=(const E2EEManager&) = delete;

  E2EEManager(E2EEManager&&) noexcept = delete;

  E2EEManager& operator=(E2EEManager&&) noexcept = delete;


  bool enabled() const;


  void setEnabled(bool enabled);


  std::weak_ptr<KeyProvider> keyProvider();

  std::weak_ptr<const KeyProvider> keyProvider() const;


  std::vector<E2EEManager::FrameCryptor> frameCryptors() const;


protected:

  explicit E2EEManager(std::uint64_t room_handle, const E2EEOptions& options);

  friend class Room;


private:

  std::uint64_t room_handle_{0};

  bool enabled_{false};

  E2EEOptions options_;

  std::shared_ptr<KeyProvider> key_provider_;

};


} // namespace livekit

livekit::E2EEManager::FrameCryptor
Frame-level cryptor controls for one participant.
Definition e2ee.h:164

livekit::E2EEManager::FrameCryptor::setKeyIndex
void setKeyIndex(int key_index)
Sets the active key index for this participant cryptor.

livekit::E2EEManager::FrameCryptor::setEnabled
void setEnabled(bool enabled)
Enables or disables frame encryption/decryption for this participant.

livekit::E2EEManager::KeyProvider
Manages encryption keys used by the E2EE pipeline.
Definition e2ee.h:126

livekit::E2EEManager::KeyProvider::exportSharedKey
std::vector< std::uint8_t > exportSharedKey(int key_index=0) const
Exports the shared key for a given key slot.

livekit::E2EEManager::KeyProvider::setKey
void setKey(const std::string &participant_identity, const std::vector< std::uint8_t > &key, int key_index=0)
Sets a key for a specific participant identity.

livekit::E2EEManager::KeyProvider::setSharedKey
void setSharedKey(const std::vector< std::uint8_t > &key, int key_index=0)
Sets the shared key for the given key slot.

livekit::E2EEManager::KeyProvider::options
const KeyProviderOptions & options() const
Returns the options used to initialize this KeyProvider.

livekit::E2EEManager::KeyProvider::exportKey
std::vector< std::uint8_t > exportKey(const std::string &participant_identity, int key_index=0) const
Exports a participant-specific key.

livekit::E2EEManager::KeyProvider::ratchetSharedKey
std::vector< std::uint8_t > ratchetSharedKey(int key_index=0)
Ratchets the shared key at key_index and returns the newly derived key.

livekit::E2EEManager::KeyProvider::ratchetKey
std::vector< std::uint8_t > ratchetKey(const std::string &participant_identity, int key_index=0)
Ratchets a participant-specific key and returns the new key.

livekit::E2EEManager
E2EE manager for a connected room.
Definition e2ee.h:117

livekit::Room
Represents a LiveKit room session.
Definition room.h:98

livekit
Public API for the LiveKit C++ Client SDK.
Definition audio_frame.h:25

livekit::kDefaultRatchetSalt
constexpr const char * kDefaultRatchetSalt
Defaults (match Rust KeyProviderOptions::default()).
Definition e2ee.h:44

livekit::KeyDerivationFunction
KeyDerivationFunction
Key derivation algorithm used by the key provider.
Definition e2ee.h:38

livekit::EncryptionType
EncryptionType
Encryption algorithm type used by the underlying stack.
Definition e2ee.h:31

livekit::E2EEOptions
End-to-end encryption (E2EE) configuration for a room.
Definition e2ee.h:97

livekit::KeyProviderOptions
Options for configuring the key provider used by E2EE.
Definition e2ee.h:57

livekit::KeyProviderOptions::shared_key
std::optional< std::vector< std::uint8_t > > shared_key
Shared static key for "shared-key E2EE" (optional).
Definition e2ee.h:65

livekit::KeyProviderOptions::ratchet_salt
std::vector< std::uint8_t > ratchet_salt
Salt used when deriving ratcheted keys.
Definition e2ee.h:70

livekit::KeyProviderOptions::key_ring_size
int key_ring_size
Number of key slots retained by the key provider.
Definition e2ee.h:80

livekit::KeyProviderOptions::key_derivation_function
KeyDerivationFunction key_derivation_function
Algorithm used when deriving ratcheted keys.
Definition e2ee.h:83

livekit::KeyProviderOptions::ratchet_window_size
int ratchet_window_size
Controls how many previous keys are retained during ratcheting.
Definition e2ee.h:74

livekit::KeyProviderOptions::failure_tolerance
int failure_tolerance
Number of tolerated ratchet failures before reporting encryption errors.
Definition e2ee.h:77