Learn about call & meeting encryption in Google Meet

To keep your data safe, Google Meet uses several encryption methods:

  • End-to-end encryption: Masks the data with a code that only you and other participants can access.
  • Cloud encryption: Secures your info in transit and at rest in Google's data centers.
  • Client-side encryption: Organizations can maintain full control of the encryption keys and add an extra layer of protection. Learn more about client-side encryption.

When you communicate in Google Meet, you can use either:

  • Meetings: Create a schedule or join instant meetings with a link. All meetings are cloud-encrypted.
  • Calls:

Learn how to make Meet calls with Google Meet.

To use the new calling experience as soon as it's available to you, keep your Meet app up-to-date. When everyone in the call uses the latest version of Meet, an in-app prompt shows that they're now using the new calling experience. Otherwise, your call defaults to the legacy calling experience. After you update the Meet app, legacy calling is no longer available.

Cloud encryption

Learn how cloud-encrypted meetings & Meet calls work

To keep your data secure and private, by default, Google Meet supports these cloud encryption measures for meetings and Meet calls:

  • Encrypted in transit between your device and Google data centers.
  • Call recordings are encrypted at rest when stored in Google Drive.
    • Meeting and Meet calls encryption adheres to:
      • Internet Engineering Task Force security standards for Datagram Transport Layer Security (DTLS).
      • Secure Real-time Transport Protocol (SRTP).

Additional encryption for Meet calls

Users with personal accounts

To enable expanded cloud-encrypted features, Meet Calls are cloud encrypted by default. Your info is encrypted in transit and at rest in Google's data centers.

To add end-to-end encryption, in the pre-call screen, turn on Additional encryption.

  • This feature is only available for calls made between users with personal accounts. If you turn on "Additional encryption" and try to make a call to a Business or EDU account, you get this error message: "This person's organization doesn't let them receive end-to-end encrypted calls."
  • Additional encryption grays out the cloud-encrypted features that aren't supported in Additional encryption mode, like:
    • In-call messages
    • Reactions
    • Polls
    • Q&A
    • Add-ons
    • The ability to report abuse

The icons shows the encryption type:

  • Cloud encryption:
    • When you tap the Empty shield Cloud Encryption Icon, it shows "This call is cloud encrypted."
  • Additional encryption:
    • When you tap a shield with a lock inside Additional Encryption Icon, it shows "This call is using additional encryption."
    • When you're in a call, it shows a blue lock badge Blue lock badge icon.

Additional encryption

Use Business or EDU accounts

If you have a Business or EDU account:

  • The additional encryption toggle isn't available.
  • Calls are always cloud-encrypted.

End-to-end encryption

Learn how end-to-end encrypted legacy calls work

When you use end-to-end encryption, it:

  • Adds a security method that provides additional communication protection.
  • Is built into every 1:1 and group legacy calls.
    • End-to-end encryption is on by default and you can't turn it off.
  • Only let people in your call know what you say or show.
  • Doesn't allow Google to view, hear, or save the audio and video from your call.

These icons for end-to-end encrypted show in your legacy calls:

  • A shield with a lock inside Additional Encryption Icon.
    • If you tap this icon, it shows "End-to-end encrypted."
  • A shield with a lock inside with a message "End-to-end encrypted" End to end encrypted icon. The icon disappears when you switch to full screen.

In 1:1 and group legacy calls, end-to-end encryption means a call's audio and video is encrypted from your device to your contact's device. The encrypted audio and video can only be decoded with a shared secret key.

The key:

  • Is a number created on your device and the device you call. The key exists only on those devices.
  • Disappears when the call ends.
  • Isn't shared with:
    • Google
    • Other users
    • Other devices

Tip: Even if someone accesses your call data, they can't understand it without the key.

Learn how your data in 1:1 legacy calls are protected

Shared secret keys stay on the callers' devices

  • Your device decrypts your call's audio and video with a shared secret key.
  • This key is created on your device and your contact's device and is deleted after the call ends. It's not shared with any server.
What's needed for a shared key

To calculate the shared key, each device needs:

  • A private key, which only saves on your device
  • A public key, which only saves on Duo's servers

The first time you set up or link your legacy calling account, your device creates several private and public key pairs so you're prepared for several end-to-end encrypted calls.

How shared secret keys are created
  • The devices exchange their public keys but don't reveal their private keys.
  • Next, each device uses its private and public keys from the other device to calculate the shared secret key.

Google servers can't decode your call

When you make a legacy call on Meet, your call's audio and video typically go directly from your device to your contact's device. This connection is called peer-to-peer. The call doesn't go through a Google server.

Sometimes a peer-to-peer connection isn't available, like when a network setting blocks it. In this case, a Google relay server passes your call's audio and video between your device and the device you called. The server can't decode your call because it doesn't have the shared secret key.

Learn how your data is protected in legacy group calls

Group calls stay private on the server

To ensure your group calls are high quality, these calls are end-to-end encrypted and they go through a Google server that routes everyone's call audio and video to others in the group.

To route your calls, the server uses info about your call, like which device your audio and video come from. It sends each user's audio and video to the others in the group, but it:

  • Doesn't have access to end-to-end encrypted keys
  • Can't decrypt your media
Group calls use multiple keys

To join a call that goes through a server, your device automatically uses:

  • A sender key to encrypt the call's audio and video.
    • When someone starts a group call, each device exchanges the sender's key with the other devices.
  • A client-to-server key to encrypt info about the call.
    • Each device exchanges this key with the server.
What the keys do

The keys work to:

  • Encrypt your call's audio and video so only other people in the group can hear and see it
  • Decode the audio, video, and info from other people in the group call

Keys can change in group calls

Everyone's devices exchange new sender keys if any of these happens:

  • Someone leaves a group.
  • A person who wasn't part of the group gets added to it while in the call.

If a person in your group doesn't immediately join the group call, their device can still use everyone's sender keys. This lets them join the call anytime it's live.

When the group call ends, the keys are deleted.

Related resources

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Get the new Meet app in the play store or app store

Google Meet is your one app for video calling and meetings across all devices. Use video calling features like fun filters and effects or schedule time to connect when everyone can join.

Search
Clear search
Close search
Google apps
Main menu
9078637949585515502
true
Search Help Center
true
true
true
true
true
713370
false
false
false
false