When you use an Android phone on Google Fi to and are on a call with another Android phone on Google Fi, the call stays private between the two of you with end-to-end encryption.
- The audio is encoded, and can only be decoded with a shared secret key.
- Each device has a private key and a public key, which aren't saved.
When you use end-to-end encryption, nobody, including Google, can hear your call’s audio since they don't have the secret key for each call.
If your call is protected with end-to-end encryption and you’re using the Google Phone app 
on the screen before your call is connected and during the call. When you place any encrypted call, you’ll hear a unique ringing tone before being connected.
Voicemails are not end-to-end encrypted.
End-to-end encryption is an industry standard security method that protects data in communication.
Encryption means your data is hidden using a secret code. A key is needed to decode and access the data. When your call is end-to-end encrypted, only the caller and call receiver have access to the key so no one else, including Google, can hear the contents of your call.
This means that when your call is end-to-end encrypted, the audio of the call is encrypted from your device to the device of the person you’re calling. The encrypted audio can then only be decoded, or accessed, with a shared key.
This key is a number that’s created on your device and the device you called. It only exists on those devices.
The key is kept private in a few ways:
- The key isn’t shared with Google, anyone else, or other devices.
- It is automatically deleted as soon as the call ends.
If a third party gains access to the data for the call, they won’t be able to understand the call because they don’t have the key so the call audio is indecipherable.
To calculate the shared key, each device needs:
- A private key that is created for every call.
- A public key which is created for every call and is not saved on the Google Fi servers.
How shared secret keys are created
The devices exchange their public keys through the Google Fi servers but don’t reveal their private keys. Each device uses its private key and the public key from the other device to calculate the shared secret key.
End-to-end encrypted calls will go through Google Fi servers, but because Google doesn’t have the shared secret key, Google can’t decode the call.
Turn on Wi-Fi calling to make sure your call on an Android phone with Google Fi to another Android phone with Google Fi has end-to-end encryption.
Wi-Fi calling must be turned on to be eligible for end-to-end encryption, but you can still make end-to-end encrypted calls even if your call isn’t using Wi-Fi.