Privacy First

End-to-End Encryption

Optional E2EE for your meetings. The server relays encrypted media — only participants can decrypt. Your keys, your data, your control.

How It Works

Three simple principles that keep your meetings private from server to screen.

Toggle E2EE On

Enable E2EE per room in the settings. A toggle — not a config file edit.

Share the Key

Encryption keys live in the URL fragment — never sent to the server. Share the link securely with participants.

Blind Relay

The LiveKit SFU forwards encrypted frames without decryption. The server never sees your video or audio content.

Zero-Knowledge Architecture

Client-Side Key Generation

Encryption keys are generated in the browser. Never transmitted to or stored on the server.

Blind SFU Relay

LiveKit forwards encrypted RTP frames as-is. No decryption, no inspection, no recording of content.

Insertable Streams API

Encryption operates at the WebRTC frame level via RTCRtpSender and RTCRtpReceiver transforms.

Web Worker Isolation

Cryptographic operations run in a dedicated background thread. The main UI thread never handles raw keys.

Architecture

Data never touches the server in cleartext. Here is how the encrypted path works end to end.

Sender Client A

A

Media Feed

Frame payload

Outbound Pipeline:

Plaintext frames

🔍 Inspectable LiveKit SFU

Relaying encrypted frames

Server can read frames (plaintext)

SFU Pipeline:

Frame [clear]

Receiver Client B

B

Decoded Output

Frame payload

Inbound Pipeline:

Plaintext frames

Standard Mode: The SFU sees raw frame data. Media is encrypted in transit (TLS) but the server can inspect content.

Platform Support

E2EE works across every Bedrud client. Each platform uses its LiveKit SDK's native E2EE support.

Web

Android

iOS

Desktop

Key Features

What makes Bedrud E2EE different from platform-controlled encryption.

Per-Room Control

Enable E2EE on individual rooms. Keep public rooms open and secure sensitive meetings.

Zero-Knowledge Server

Your self-hosted server never holds encryption keys. Even you — the infrastructure owner — cannot decrypt participant media.

Recording Not Possible

When E2EE is enabled, the server cannot record or transcribe meeting content. Privacy is enforced by the encryption layer.

Fully Auditable

Every line of the encryption pipeline — from key generation to frame transform — is open source under Apache 2.0.

Try It Yourself

Join a live demo meeting with E2EE enabled. No account, no install, no commitment.

Open Live Demo Read the Docs