Learn about call and meeting encryption in Google Meet

To keep your data safe, Google Meet uses several encryption methods:

  • End-to-end encryption: Masks the data with a code that only you and other participants can access.
  • Cloud encryption: Secures your info in transit and at rest in Google's data centres.
  • Client-side encryption: Organisations can maintain full control of the encryption keys and add an extra layer of protection. Learn more about client-side encryption.

When you communicate in Google Meet, you can use either:

  • Meetings: Create a schedule or join instant meetings with a link. All meetings are cloud encrypted.
  • Calls:

Learn how to make Meet calls with Google Meet.

To use the new calling experience as soon as it's available to you, keep your Meet app up to date. When everyone in the call uses the latest version of Meet, an in-app prompt shows that they're now using the new calling experience. Otherwise, your call defaults to the legacy calling experience. After you've updated the Meet app, legacy calling will no longer be available.

Cloud encryption

Learn how cloud-encrypted meetings and Meet calls work

To keep your data secure and private, by default, Google Meet supports these cloud encryption measures for meetings and Meet calls:

  • Encrypted in transit between your device and Google data centres.
  • Call recordings are encrypted at rest when stored in Google Drive.
    • Meeting and Meet call encryption adheres to:
      • Internet Engineering Task Force security standards for Datagram Transport Layer Security (DTLS).
      • Secure Real-time Transport Protocol (SRTP).

Additional encryption for Meet calls

Users with personal accounts

To enable expanded cloud-encrypted features, Meet calls are cloud encrypted by default. Your info is encrypted in transit and at rest in Google's data centres.

To add end-to-end encryption, on the pre-call screen, turn on additional encryption.

  • This feature is only available for calls made between users with personal accounts. If you turn on additional encryption and try to make a call to a Business or EDU account, you'll get this error message: 'This person's organisation doesn't let them receive end-to-end encrypted calls.'
  • Additional encryption greys out the cloud-encrypted features that aren't supported in additional encryption mode, like:
    • In-call messages
    • Reactions
    • Polls
    • Q&A
    • Add-ons
    • The ability to report abuse

The icons shows the encryption type:

  • Cloud encryption:
    • When you tap the empty shield Cloud Encryption Icon, it'll show 'This call is cloud encrypted'.
  • Additional encryption:
    • When you tap a shield with a lock inside Additional Encryption Icon, it'll show 'This call is using additional encryption'.
    • When you're in a call, it'll show a blue lock badge Blue lock badge icon.

Additional encryption

Use Business or EDU accounts

If you have a Business or EDU account:

  • The additional encryption toggle isn't available.
  • Calls are always cloud encrypted.

End-to-end encryption

Learn how end-to-end encrypted legacy calls work

When you use end-to-end encryption, it:

  • Adds a security method that provides additional communication protection.
  • Is built into every 1:1 and group legacy call.
    • End-to-end encryption is on by default and you can't turn it off.
  • Only lets people in your call know what you say or show.
  • Doesn't allow Google to view, hear or save the audio and video from your call.

These icons for end-to-end encrypted will show in your legacy calls:

  • A shield with a lock inside Additional Encryption Icon.
    • If you tap this icon, it'll show 'End-to-end encrypted'.
  • A shield with a lock inside with a message 'End-to-end encrypted' End to end encrypted icon. The icon will disappear when you switch to full screen.

In 1:1 and group legacy calls, end-to-end encryption means that a call's audio and video is encrypted from your device to your contact's device. The encrypted audio and video can only be decoded with a shared secret key.

The key:

  • Is a number created on your device and the device that you call. The key exists only on those devices.
  • Disappears when the call ends.
  • Isn't shared with:
    • Google
    • Other users
    • Other devices

Tip: Even if someone accesses your call data, they can't understand it without the key.

Learn how your data in 1:1 legacy calls is protected

Shared secret keys stay on the callers' devices

  • Your device decrypts your call's audio and video with a shared secret key.
  • This key is created on your device and your contact's device and is deleted after the call ends. It's not shared with any server.
What's needed for a shared key

To calculate the shared key, each device needs:

  • A private key, which is only saved on your device
  • A public key, which is only saved on Duo's servers

The first time that you set up or link your legacy calling account, your device creates several private and public key pairs so that you're prepared for several end-to-end encrypted calls.

How shared secret keys are created
  • The devices exchange their public keys but don't reveal their private keys.
  • Next, each device uses its private and public keys from the other device to calculate the shared secret key.

Google servers can't decode your call

When you make a legacy call on Meet, your call's audio and video typically go directly from your device to your contact's device. This connection is called peer-to-peer. The call doesn't go through a Google server.

Sometimes a peer-to-peer connection isn't available, like when a network setting blocks it. In this case, a Google relay server passes your call's audio and video between your device and the device that you called. The server can't decode your call because it doesn't have the shared secret key.

Learn how your data is protected in legacy group calls

Group calls stay private on the server

To ensure that your group calls are high quality, these calls are end-to-end encrypted and they go through a Google server that routes everyone's call audio and video to others in the group.

To route your calls, the server uses info about your call, like which device your audio and video come from. It sends each user's audio and video to the others in the group, but it:

  • Doesn't have access to end-to-end encrypted keys
  • Can't decrypt your media
Group calls use multiple keys

To join a call that goes through a server, your device automatically uses:

  • A sender key to encrypt the call's audio and video.
    • When someone starts a group call, each device exchanges the sender's key with the other devices.
  • A client-to-server key to encrypt info about the call.
    • Each device exchanges this key with the server.
What the keys do

The keys work to:

  • Encrypt your call's audio and video so that only other people in the group can hear and see it
  • Decode the audio, video and info from other people in the group call

Keys can change in group calls

Everyone's devices exchange new sender keys if any of the following happens:

  • Someone leaves a group.
  • A person who wasn't part of the group gets added to it while the call is in progress.

If a person in your group doesn't immediately join the group call, their device can still use everyone's sender keys. This lets them join the call at any time while it's live.

When the group call ends, the keys are deleted.

Related resources

Need more help?

Try these next steps:

Post to the Help Community Get answers from community members
true
Get the new Meet app for Android

Google Meet is your one app for video calling and meetings across all devices. Use video calling features like fun filters and effects or schedule time to connect when everyone can join.

Search
Clear search
Close search
Google apps
Main menu
1267661020523473402
true
Search Help Centre
false
true
true
true
true
true
713370
false
false
false
false