How End-to-End Encrypted Video Calls Actually Work
Most video call platforms claim security but don't encrypt the actual media. Cloak uses WebRTC Insertable Streams to encrypt every audio and video frame before it leaves your device.
Most "encrypted" video calls are not what you think
When Zoom, Google Meet, or Microsoft Teams say your calls are "encrypted," they usually mean encryption in transit, meaning your data is protected between your device and their server. But the server itself can decrypt and process your video and audio. This means the company, or anyone who compromises their server, can access your call content.
True end-to-end encrypted video calls are different. The media is encrypted on your device and can only be decrypted by the other participants. The server relays encrypted packets but never has access to the plaintext audio or video.
How Cloak encrypts video calls
Cloak uses the WebRTC Insertable Streams API to implement true end-to-end encryption for voice and video calls. Here is how it works:
- Frame-level encryption: every individual audio and video frame is encrypted with AES-256-GCM before it leaves your device
- Shared session keys: call participants exchange encryption keys using the Signal Protocol, so only participants can decrypt the media
- Server relay (SFU): for paid users, encrypted frames are forwarded through a Selective Forwarding Unit. The SFU never decrypts the content; it just routes encrypted packets
- Peer-to-peer (P2P): for free users, encrypted frames go directly between devices with no server intermediary at all
SFU vs P2P: two paths, same encryption
Both Cloak's Server Relay (SFU) and Peer-to-Peer modes use the same frame-level end-to-end encryption. The difference is how the encrypted data travels:
| Mode | How it works | IP privacy | Available on |
|---|---|---|---|
| Server Relay (SFU) | Encrypted frames routed through Cloak's server | IP hidden from other participants | Paid tiers |
| Peer-to-Peer (P2P) | Encrypted frames sent directly between devices | IP visible to participants | All tiers |
Why frame-level encryption matters
Some platforms claim E2EE for calls but only encrypt the signaling layer, not the actual media. Cloak encrypts every frame, meaning even if someone intercepts the raw WebRTC stream, they get unintelligible encrypted data.
Combined with Cloak's zero-knowledge architecture, this means:
- Cloak cannot listen to your calls
- Cloak cannot watch your video
- Cloak cannot see your screen shares
- Even if Cloak's servers are compromised, call content remains encrypted
Encrypted screen sharing too
Screen sharing on Cloak uses the same frame-level encryption as video calls. Whether you are sharing a presentation, a code editor, or your entire desktop, every frame is encrypted before transmission. No other major chat platform offers encrypted screen sharing with this level of security.
Try encrypted calls on Cloak
Cloak's encrypted voice and video calls are available on the free tier via P2P, and on paid tiers with the option to use Server Relay for additional IP privacy. Available on Windows, macOS, and Linux.
Download Cloak and experience truly private video calls, where not even the platform can listen in.
Related reading
Ready to try Cloak?
Download Cloak for free on Windows, macOS, or Linux. End-to-end encrypted messaging, video calls, and file sharing. No compromises.