Videobridge + CPU Perfomance. Howto enable AES encryption?

Hello Jitsi team,

What is a correct way to enable encryption/decryption on Jitsi Videobridge with AES?

I have server with Intel proc and AES-NI support on board.
openssl & java also has AES option enabled in my OS.

Is there a config value for JVB to start with AES?
Should AES also be applied to other jitsi services?

The JVB uses AES encryption by default.

1 Like

are you sure about that? I saw some mentions about -XX:+UseAESIntrinsics flag for JVB in another topic.
Also, I have a question about disableE2EE option in jitsi-Meet .js config.
By default the option is false, so does web-application make extra encryption (in addition to ssl) for all messages and data-streams ?
Many thanks!

Yes, I am. What you saw might be related to the implementation because IIRC we use OpenSSL if available, and fall back to a JAva based implementation otherwise.

If you enable E2EE then yes, the application performs an extra step of encryption (it’s encrypted twice then).

Thank you for such important details!

AFAIK, disableE2EE set to false on clean Jitsi , so doubled Encryption is enforced on default setup. It sounds like that encryption is redundant for group calls. If we disable E2EE, would it affect on Mobile or PC clients?

E2EE is disabled by default.

Ok disableE2EE = false, means E2EE disabled, Many thanks! )

LOL… no, that means E2EE is enabled.

Now I’m confused. Does "disableE2EE = false " means that E2E is enabled or disabled? Is there another way to check e2e status?

Read it like this:

Question: “Should I disable E2EE?” [disableE2EE]

Answer 1: “Yes you should” [true] - means E2EE is disabled

Answer 2: “No you shouldn’t” [false] - means E2EE is not disabled (meaning, it’s ENabled)

You can test it in your deployment. If you set that flag to “true”, you won’t see E2EE as an option in the security pop-up box.

Oh, disableE2EE is just flag for UI
Thank you Freddie ))

It’s not redundant. The AES encryption that JVB always uses is a DTLS session between JVB and each user, so the decrypted traffic is in memory on the JVB as it passes through. The operator of the JVB could, if they wanted to, capture it. The extra layer of encryption provided by E2EE is a layer which the JVB is not a party to, so it prevents that.