To improve data security the CareAR team has implemented measures to encrypt user’s data through all phases of the end user’s usage. This guide is to better understand the mechanisms of encryption utilized for a standard CareAR session.
Important: This article is designed for endpoints to be utilizing CareAR Assist 21.06 functionality or newer to utilize encryption. Older endpoints should be upgraded by downloading our latest versions available: https://carear.app/#/download.
Database
The database handles both data at rest, such as session activity and user accounts as well as transient data such as sessions starting and participants in the session. This database is hosted using Google Cloud Platform (“GCP”) based data centers.
All data within the GCP infrastructure is encrypted. This means that data is encrypted both at rest (https://cloud.google.com/security/encryption/default-encryption/ ) and in transit (https://cloud.google.com/security/encryption-in-transit).
Media traffic
In transit audio and video related traffic of CareAR sessions are also encrypted (depending on your organization’s CareAR tenant configuration). This in transit data connects multiple participants as well as video recording (if configured) using Agora.io as the media engine. Depending on the scenario of your CareAR session the encryption will function in one of two methods – End-to-End or Hop-by-Hop.
|
Guest joins as… |
End-to-End |
Hop-by-Hop |
|
Installed Application (non-browser) |
X |
|
|
Web Browser Client |
|
X |
|
Smart Glasses |
|
X |
|
Video Recorder |
|
X |
Type of encryption for Media
When encryption is enabled the media traffic transmits between endpoints and media servers as SRTP traffic. This SRTP traffic is configured with 256-bit AES encryption. This 256-bit AES encryption will be in the form of either end-to-end encryption or hop-by-hop encryption depending on the configuration settings of the tenant.
Endpoints
- Application (host) – Application (collaborator / guest)
When all participants are connected via the CareAR Assist installed application data is full end-to-end encryption.
- Application (host) – Web (collaborator / guest)
When a participant joins the CareAR session through another CareAR Assist application (such as the web browser client) the encryption changes from end-to-end encryption to hop-by-hop encryption. This stems from the need to convert the audio and video traffic from the application to the web browser client.
- Recording
When video recording is utilized, regardless of which endpoint the guest joins with, will have hop-by-hop. This is needed in order to convert the media stream to recorded file. To learn more about the Recording Security in more detail please view our article here: CareAR Session Recording Security
Controlling your Configuration
Administrators of your CareAR tenant can log into the admin web portal: https://carear.app/#/admin to adjust the configuration of the environment. The following settings play a part in your encryption selections.
Recording configuration
Leaving your recording configuration blank will result in no video recordings being achievable. This will mean the recording endpoint which would change encryption to hop-by-hop to not be engaged due to recording. For help on how to configure your video recording configuration please visit our article here:
For additional information about recording security please visit our article here: CareAR Session Recording Security
Encryption on / off
Encryption being on (end-to-end or hop-by-hop, based on the other configurations) or being off in it’s entirety is controlled with the drop down option of On (encryption enabled) or Off (encryption disabled). Upon selection click Save.
Guest join by browser & Guest join by smart glasses
The ability to have the end user invited to join the session outside of the CareAR native (installed) application is available to select from. In order to take advantage of either of these technologies does cause the encryption (if enabled) to change to hop-by-hop when one of these endpoints join a session. To maintain end-to-end encryption both of these guest join options can be left to off. When off the joining end user will not be able to select these endpoint types and will not engage hop-by-hop encryption (pending other configuration options).
End-to-End Encryption only
If you would like to maintain end-to-end encryption as the only option and not allow the session to change to hop-by-hop encryption you must have encryption on as well as both recording and join by browser turned off.