Notification

Learn about call & meeting encryption in Google Meet

To keep your data safe, Google Meet uses several encryption methods.

  • End-to-end encryption: Mask the data with a code that only you and other participants can access.
  • Cloud encryption: Secure your information in transit and at rest in Google's data centers.
  • Client-side encryption: Organizations can maintain full control of their encryption keys and add an extra layer of protection. Learn more about client-side encryption.

When you communicate in Google Meet, you can use either:

Meet calling has already rolled out to Business and EDU users and is now rolling out to users with personal accounts over the next few months.

To use the new calling experience as soon as it's available to you, keep your Meet app up-to-date. When all parties in the call use the latest version of Meet with the update, an in-app prompt explains that they are now using the new calling experience. Otherwise, the call defaults to the legacy calling experience. Once all users have the updated Meet app, legacy calling is no longer accessible.

To make sure your data is safe, Google Meet uses several encryption methods. End-to-end encryption is used to mask data with a code that only you and the other callers have access to. Cloud encryption ensures your information is encrypted in transit and at rest in Google's data centers.

Organizations can also use client-side encryption to have full control of their encryption keys to add an additional layer of protection. Learn more about client-side encryption.

Learn how end-to-end encrypted Legacy Calls (previously known as Duo) work

End-to-end encryption:

  • Is a security method that provides additional communication protection.
  • Is built into every 1:1 and group Legacy Calls (previously known as Duo). It’s on by default and can’t be turned off.
  • Only lets people in a call know what’s said or shown.
  • Doesn’t allow Google to view, hear, or save the audio and video from your call.

You’ll find these End-to-end encrypted (E2EE) symbols show up in legacy calls:

  • A shield with a lock inside .
    • If you tap this icon, it shows “End-to-end encrypted.”
  • During a legacy call: A shield with a lock inside, with the words “End-to-end encrypted,” which fades when you switch to full screen End to end encrypted icon.

For 1:1 and group Legacy Calls (previously known as Duo), end-to-end encryption means that a call’s data (its audio and video) is encrypted from your device to your contact’s device. The encrypted audio and video can only be decoded with a shared secret key.

The key:

  • Is a number created on your device and the device you call. It exists only on those devices.
  • Disappears when the call ends.
  • Isn’t shared with:
    • Google
    • Other users
    • Other devices

Even if someone gains access to the call data, they can’t understand it without the key.

How we protect your data in 1:1 calls

Shared secret keys stay on the callers’ devices

Your device decrypts your call’s audio and video with a shared secret key. This key is created on your device and your contact’s device and is deleted after the call ends. It’s not shared with any server.

What’s needed for a shared key

To calculate the shared key, each device needs:

  • A private key, which is saved only on your device
  • A public key, which is saved on Duo’s servers

The first time you set up or link your calling account in Meet, your device creates several private/public key pairs. This way, you’re ready for several end-to-end encrypted calls.

How shared secret keys are created

  • The devices exchange their public keys but don’t reveal their private keys.
  • Next, each device uses its private key and the public key from the other device to calculate the shared secret key. They use a mathematical process called cryptography.

Google servers can’t decode your call

When you call someone else on Duo, your call’s audio and video typically go directly from your device to their device. This connection is called peer-to-peer. The call doesn’t go through a Google server.

However, sometimes a peer-to-peer connection isn't available, like if a network setting blocks it. In this case, a Google relay server passes a call’s audio and video between your device and the device you called. The server can’t decode your call because it doesn’t have the shared secret key.

How we protect your data in group calls

Group calls stay private on the server

Group calls are also end-to-end encrypted. To make sure group calls are high-quality, they go through a Google server.

That server routes everyone’s call audio and video to others in the group. To route calls, the server uses info about your call, like which device the video is from. The server doesn't have access to the end-to-end encryption keys and can't decrypt the media.

Group calls use multiple keys

To be part of a call that goes through a server, each group member’s device automatically uses:

  • A sender key to encrypt the call’s audio and video. When someone starts a group call, each device exchanges this key with the other devices.
  • A client-to-server key to encrypt info about the call. Each device exchanges this key with the server.

What the keys do

The keys work to:

  • Encrypt your call’s audio and video so that only other people in the group can hear and see it.
  • Decode the audio, video, and info from other people in the group call.

Keys can change during group calls

Everyone’s devices exchange new sender keys if either:

  • Someone leaves a group.
  • A person who wasn’t part of the group gets added to it during the call.

If a person in the group doesn’t immediately join the group call, their device can still use everyone’s sender keys. This way, that person can join the call anytime while it’s live.

When the group call ends, the keys are deleted.

Learn more in Duo's end-to-end encryption technical paper.

To help fix problems, Google Meet, uses some info about your Legacy Calls (previously known as Duo), like:

  • Why and when a call is dropped or delayed
  • The device IDs of the caller and receiver
  • Phone numbers of people in a group call

This info is securely stored for about a month on Google servers.

Learn how cloud-encrypted meetings & Meet calls work

To help ensure data security and privacy, Google Meet supports these cloud-encryption measures for meetings and Meet calls:

  • By default, meeting and Meet calls data is encrypted in transit between the client and Google data centers for meetings taking place in Google Meet.
  • By default, meeting and Meet calls recordings stored in Google Drive are encrypted at rest.
  • Meeting and Meet calls encryption adheres to:
    • Internet Engineering Task Force security standards for Datagram Transport Layer Security (DTLS)
    • Secure Real-time Transport Protocol (SRTP)

Learn more about DTLS and SRTP.

Learn how to turn on Additional encryption in Meet calls

Meet Calls are cloud encrypted by default to enable expanded cloud-encrypted features. These features include in-call messages, reactions, add-ons, polls, Q&A, and more. Your information is encrypted in transit and at rest in Google's data centers.

Users with personal accounts

Optional: To add end-to-end encryption, in the pre-call screen, turn on Additional encryption.

  • The feature is only available for calls made between users with personal accounts. If you turn on “Additional encryption” and try to make a call to a business or edu account, you get this error message: “This person’s organization doesn’t let them receive end-to-end encrypted calls.”
  • Additional encryption grays out the cloud-encrypted features that aren’t supported in Additional encryption mode, such as:
    • In-call messages
    • Reactions
    • Polls
    • Q&A
    • Add-ons
    • The ability to Report Abuse

These symbols indicate the encryption type:

  • Cloud encryption:
    • When you tap Empty shield Cloud Encryption Icon it says "This call is cloud encrypted."
  • Additional encryption:
    • When you tap a shield with a lock inside Additional Encryption Icon it says "This call is using additional encryption."
    • If you are in a call, it's a blue lock badge Blue lock badge icon.

Additional encryption

Users with Business or EDU accounts

The Additional encryption toggle isn’t available and calls are always cloud encrypted.

Related Resources

Search
Clear search
Close search
Main menu
16655749437068279664
true
Search Help Center
true
true
true
true
true
713370
false
false