メニュー

Rate this page:

Thanks for rating this page!

We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

Call Recording Encryption

Call Recording Encryption provides additional security on your Twilio Call Recordings by encrypting them with your public key. This feature is currently in Dev Preview and you can sign up for access here.

Configuring Public Keys for Encryption

  1. Generate a valid RSA key pair. This only has to be done once.
  2. Submit the public key to Twilio. This is a one-time requirement and can be done via the API, or directly in the Console:

Enabling Call Recording Encryption

Enabling recording encryption will be supported at an account level and is available as a setting in the Console. When enabling, the public key to use for encryption must be selected. Only public keys that have previously been uploaded via the API or console for this account will be available for selection.

NOTE : Once Call Recording Encryption is enabled on the account, all subsequent recordings will be encrypted via the public key and will be returned to the customer encrypted . Twilio will have no ability to decrypt these recordings. Please initially enable this only on a test account / subaccount and confirm that your process for decryption is working before enabling for any production traffic.

Encryption Methodology

Twilio uses hybrid encryption to encrypt recordings. Twilio uses AES256-GCM to encrypt the recording content by Content Encryption Key and RSAES-OAEP-SHA256-MGF1 to encrypt the CEK with Customer Public Key (CPK.pub). CEK will be randomly generated per recording and be discarded after encryption is finished. CEK will never be stored in plaintext.

Recording Resource Encryption Properties

In addition to the Recording Resource properties documented here, Call Recording Encryption introduces the following properties :

プロパティ 概要
EncryptionDetails Json object that includes relevant encryption details, if the recording was encrypted and null if not encrypted. The encryption properties include :
type: The type of encryption -- currently only value supported is rsa-aes
public_key_sid: A 34 character string that uniquely identifies the public key resource used as part of recording encryption
encrypted_cek: Encrypted content encryption key used as part of recording encryption (base64 encoded)
iv: Randomly generated Initial Vector used as part of recording encryption. (base 64 encoded)
ErrorCode Numeric error code indicating a type of recording failure, if Status is failed. Value will be null for all other statuses.

RecordingStatusCallback Encryption Parameters

RecordingStatusCallback is the reliable way to receive webhooks for completed recordings.
Please see this support article for more details. Note that you can also subscribe to a 'failed' RecordingStatusCallbackEvent to receive information on encryption related failures.

More info below on the additional encryption related parameters in RecordingStatusCallback:

パラメーター 概要 SentOn
EncryptionDetails Json object that includes relevant encryption details if the recording was encrypted and not included in the callback if not encrypted. The encryption properties include :
type: The type of encryption -- currently only value supported is rsa-aes
public_key_sid: A 34 character string that uniquely identifies the public key resource used as part of recording encryption
encrypted_cek: Encrypted content encryption key used as part of recording encryption (base64 encoded)
iv: Randomly generated Initial Vector used as part of recording encryption. (base 64 encoded)
送信対象 : completedイベント
ErrorCode Numeric error code indicating a type of recording failure, if Status is failed. ErrorCode not included in the callback for other Statuses. 送信対象 : failedイベント

Per Recording Decryption Steps (Customer)

Please see Twilio provided code samples for decryption

  1. Obtain public_key_sid, encrypted_cek, iv parameters within EncryptionDetails via recordingStatusCallback or by performing a GET on the recording resource
  2. Retrieve customer private key corresponding to public_key_sid and use it to decrypt base 64 decoded encrypted_cek via RSAES-OAEP-SHA256-MGF1
  3. Initialize a AES256-GCM SecretKey object with decrypted CEK and base 64 decoded iv
  4. Decrypt encrypted recording using the SecretKey

Failure scenarios :

Twilio is unable to determine or retrieve the public key configured for recording encryption

  1. In this scenario, the most recently added retrievable public key on the account will be used for encryption, if one exists.
  2. The public_key_sid within EncryptionDetails will represent the sid of the public key actually used, not necessarily the one configured.
  3. A notification to the account will be sent which indicates that an alternative public key was used.

Twilio is unable to encrypt the recording because there are no public keys on the account or an intermittent system issue occurred

  1. Recording is deleted and will not be available for access.
  2. Recording resource will have a Status of failed, ErrorCode of 13624 and EncryptionDetails will be null.
  3. A recordingStatusCallback will be sent (if configured via RecordingStatusCallbackEvent) with a Status of failed, ErrorCode of 13624, and EncryptionDetails will be null and not included in the callback.
  4. A notification to the account will be sent which indicates whether the failure was due to inaccessibility of public keys or an internal system error.
Vineet Agarwal Andrew Baker David Prothero
Rate this page:

ヘルプが必要ですか?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.