livekit-client 2.15.6 → 2.15.8

package/src/e2ee/worker/DataCryptor.test.ts

@@ -0,0 +1,271 @@
+import { describe, expect, it, vitest } from 'vitest';
+import { IV_LENGTH, KEY_PROVIDER_DEFAULTS } from '../constants';
+import type { KeyProviderOptions } from '../types';
+import { createKeyMaterialFromString } from '../utils';
+import { DataCryptor } from './DataCryptor';
+import { ParticipantKeyHandler } from './ParticipantKeyHandler';
+
+function prepareParticipantTestKeys(
+  participantIdentity: string,
+  partialKeyProviderOptions: Partial<KeyProviderOptions>,
+): ParticipantKeyHandler {
+  const keyProviderOptions = { ...KEY_PROVIDER_DEFAULTS, ...partialKeyProviderOptions };
+  return new ParticipantKeyHandler(participantIdentity, keyProviderOptions);
+}
+
+describe('DataCryptor', () => {
+  const participantIdentity = 'testParticipant';
+
+  describe('encrypt', () => {
+    it('throws error when no key set', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      const data = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      await expect(DataCryptor.encrypt(data, keys)).rejects.toThrow('No key set found');
+    });
+
+    it('encrypts data successfully with key', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+      const result = await DataCryptor.encrypt(plainData, keys);
+
+      expect(result.payload).toBeInstanceOf(Uint8Array);
+      expect(result.iv).toBeInstanceOf(Uint8Array);
+      expect(result.iv.length).toBe(IV_LENGTH);
+      expect(result.keyIndex).toBe(1);
+      expect(result.payload).not.toEqual(plainData);
+      expect(result.payload.length).toBeGreaterThan(0);
+    });
+
+    it('generates different IV for each encryption', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 1);
+
+      const data = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      const result1 = await DataCryptor.encrypt(data, keys);
+      const result2 = await DataCryptor.encrypt(data, keys);
+
+      expect(result1.iv).not.toEqual(result2.iv);
+      expect(result1.payload).not.toEqual(result2.payload);
+    });
+
+    it('uses correct key index from key handler', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 5);
+
+      const data = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+      const result = await DataCryptor.encrypt(data, keys);
+
+      expect(result.keyIndex).toBe(5);
+    });
+  });
+
+  describe('decrypt', () => {
+    it('throws error when no key set for index', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      const data = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+      const iv = new Uint8Array(IV_LENGTH);
+
+      await expect(DataCryptor.decrypt(data, iv, keys, 1)).rejects.toThrow('No key set found');
+    });
+
+    it('decrypts data successfully with correct key', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16]);
+
+      // First encrypt the data
+      const encrypted = await DataCryptor.encrypt(plainData, keys);
+
+      // Then decrypt it
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        keys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(plainData);
+    });
+
+    it('fails to decrypt with incorrect key', async () => {
+      const keys1 = prepareParticipantTestKeys('participant1', {});
+      const keys2 = prepareParticipantTestKeys('participant2', {});
+
+      await keys1.setKey(await createKeyMaterialFromString('correct-key'), 1);
+      await keys2.setKey(await createKeyMaterialFromString('wrong-key'), 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      // Encrypt with first key
+      const encrypted = await DataCryptor.encrypt(plainData, keys1);
+
+      // Try to decrypt with second (wrong) key
+      await expect(
+        DataCryptor.decrypt(encrypted.payload, encrypted.iv, keys2, encrypted.keyIndex),
+      ).rejects.toThrow();
+    });
+
+    it('handles ratcheting when enabled', async () => {
+      const senderKeys = prepareParticipantTestKeys('sender', {
+        ratchetWindowSize: 2,
+      });
+      const receiverKeys = prepareParticipantTestKeys('receiver', {
+        ratchetWindowSize: 2,
+      });
+
+      // Both start with the same initial key
+      const initialMaterial = await createKeyMaterialFromString('test-key');
+      await senderKeys.setKey(initialMaterial, 1);
+      await receiverKeys.setKey(initialMaterial, 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      // Sender ratchets their key forward
+      await senderKeys.ratchetKey(1, false);
+
+      // Sender encrypts data with the ratcheted key
+      const encrypted = await DataCryptor.encrypt(plainData, senderKeys);
+
+      // Receiver should be able to decrypt by automatically ratcheting their key
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        receiverKeys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(plainData);
+    });
+
+    it('respects ratchet window size limit', async () => {
+      // Create a scenario where we have valid encrypted data that requires ratcheting but it's disabled
+      const senderKeys = prepareParticipantTestKeys('sender', {
+        ratchetWindowSize: 10, // Large window for sender
+      });
+      const receiverKeys = prepareParticipantTestKeys('receiver', {
+        ratchetWindowSize: 1, // No ratcheting allowed for receiver
+      });
+
+      // Both start with the same initial key
+      const initialMaterial = await createKeyMaterialFromString('test-key');
+      await senderKeys.setKey(initialMaterial, 1);
+      await receiverKeys.setKey(initialMaterial, 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      // Sender ratchets their key forward once
+      await senderKeys.ratchetKey(1);
+      await senderKeys.ratchetKey(1);
+
+      // Sender encrypts data with the ratcheted key
+      const encrypted = await DataCryptor.encrypt(plainData, senderKeys);
+
+      // Receiver should fail to decrypt with invalid key because ratcheting is limited (window size 1)
+      await expect(
+        DataCryptor.decrypt(encrypted.payload, encrypted.iv, receiverKeys, encrypted.keyIndex),
+      ).rejects.toThrow('valid key missing for participant');
+    });
+
+    it('throws CryptorError when ratcheting disabled and decryption fails', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {
+        ratchetWindowSize: 0,
+      });
+
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 1);
+
+      const invalidData = new Uint8Array([99, 98, 97, 96, 95, 94, 93, 92]);
+      const iv = new Uint8Array(IV_LENGTH);
+      crypto.getRandomValues(iv);
+
+      await expect(DataCryptor.decrypt(invalidData, iv, keys, 1)).rejects.toThrow(
+        'Decryption failed',
+      );
+    });
+  });
+
+  describe('round-trip encryption/decryption', () => {
+    it('encrypts and decrypts data correctly', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('round-trip-key'), 2);
+
+      const originalData = new Uint8Array([
+        1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,
+        26, 27, 28, 29, 30, 31, 32,
+      ]);
+
+      const encrypted = await DataCryptor.encrypt(originalData, keys);
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        keys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(originalData);
+    });
+
+    it('handles empty data', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('empty-data-key'), 1);
+
+      const emptyData = new Uint8Array(0);
+
+      const encrypted = await DataCryptor.encrypt(emptyData, keys);
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        keys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(emptyData);
+    });
+
+    it('handles large data', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('large-data-key'), 1);
+
+      const largeData = new Uint8Array(1024);
+      for (let i = 0; i < largeData.length; i++) {
+        largeData[i] = i % 256;
+      }
+
+      const encrypted = await DataCryptor.encrypt(largeData, keys);
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        keys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(largeData);
+    });
+  });
+
+  describe('IV generation', () => {
+    it('generates unique IVs with performance.now() timestamp', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('iv-test-key'), 1);
+
+      const data = new Uint8Array([1, 2, 3, 4]);
+
+      vitest.useFakeTimers();
+      const time1 = 1000;
+      vitest.setSystemTime(time1);
+      const result1 = await DataCryptor.encrypt(data, keys);
+
+      vitest.setSystemTime(2000);
+      const result2 = await DataCryptor.encrypt(data, keys);
+
+      vitest.useRealTimers();
+
+      // IVs should be different due to different timestamps and sendCount
+      expect(result1.iv).not.toEqual(result2.iv);
+    });
+  });
+});

package/src/e2ee/worker/DataCryptor.ts

@@ -0,0 +1,147 @@
+import { workerLogger } from '../../logger';
+import { ENCRYPTION_ALGORITHM } from '../constants';
+import { CryptorError, CryptorErrorReason } from '../errors';
+import type { DecodeRatchetOptions, KeySet, RatchetResult } from '../types';
+import { deriveKeys } from '../utils';
+import type { ParticipantKeyHandler } from './ParticipantKeyHandler';
+
+export class DataCryptor {
+  private static sendCount = 0;
+
+  private static makeIV(timestamp: number) {
+    const iv = new ArrayBuffer(12);
+    const ivView = new DataView(iv);
+    const randomBytes = crypto.getRandomValues(new Uint32Array(1));
+    ivView.setUint32(0, randomBytes[0]);
+    ivView.setUint32(4, timestamp);
+    ivView.setUint32(8, timestamp - (DataCryptor.sendCount % 0xffff));
+    DataCryptor.sendCount++;
+
+    return iv;
+  }
+
+  static async encrypt(
+    data: Uint8Array,
+    keys: ParticipantKeyHandler,
+  ): Promise<{
+    payload: Uint8Array;
+    iv: Uint8Array;
+    keyIndex: number;
+  }> {
+    const iv = DataCryptor.makeIV(performance.now());
+    const keySet = await keys.getKeySet();
+    if (!keySet) {
+      throw new Error('No key set found');
+    }
+
+    const cipherText = await crypto.subtle.encrypt(
+      {
+        name: ENCRYPTION_ALGORITHM,
+        iv,
+      },
+      keySet.encryptionKey,
+      new Uint8Array(data),
+    );
+
+    return {
+      payload: new Uint8Array(cipherText),
+      iv: new Uint8Array(iv),
+      keyIndex: keys.getCurrentKeyIndex(),
+    };
+  }
+
+  static async decrypt(
+    data: Uint8Array,
+    iv: Uint8Array,
+    keys: ParticipantKeyHandler,
+    keyIndex: number = 0,
+    initialMaterial?: KeySet,
+    ratchetOpts: DecodeRatchetOptions = { ratchetCount: 0 },
+  ): Promise<{
+    payload: Uint8Array;
+  }> {
+    const keySet = await keys.getKeySet(keyIndex);
+    if (!keySet) {
+      throw new Error('No key set found');
+    }
+
+    try {
+      const plainText = await crypto.subtle.decrypt(
+        {
+          name: ENCRYPTION_ALGORITHM,
+          iv,
+        },
+        keySet.encryptionKey,
+        new Uint8Array(data),
+      );
+      return {
+        payload: new Uint8Array(plainText),
+      };
+    } catch (error: any) {
+      if (keys.keyProviderOptions.ratchetWindowSize > 0) {
+        if (ratchetOpts.ratchetCount < keys.keyProviderOptions.ratchetWindowSize) {
+          workerLogger.debug(
+            `DataCryptor: ratcheting key attempt ${ratchetOpts.ratchetCount} of ${
+              keys.keyProviderOptions.ratchetWindowSize
+            }, for data packet`,
+          );
+
+          let ratchetedKeySet: KeySet | undefined;
+          let ratchetResult: RatchetResult | undefined;
+          if ((initialMaterial ?? keySet) === keys.getKeySet(keyIndex)) {
+            // only ratchet if the currently set key is still the same as the one used to decrypt this frame
+            // if not, it might be that a different frame has already ratcheted and we try with that one first
+            ratchetResult = await keys.ratchetKey(keyIndex, false);
+
+            ratchetedKeySet = await deriveKeys(
+              ratchetResult.cryptoKey,
+              keys.keyProviderOptions.ratchetSalt,
+            );
+          }
+
+          const decryptedData = await DataCryptor.decrypt(
+            data,
+            iv,
+            keys,
+            keyIndex,
+            initialMaterial,
+            {
+              ratchetCount: ratchetOpts.ratchetCount + 1,
+              encryptionKey: ratchetedKeySet?.encryptionKey,
+            },
+          );
+
+          if (decryptedData && ratchetedKeySet) {
+            // before updating the keys, make sure that the keySet used for this frame is still the same as the currently set key
+            // if it's not, a new key might have been set already, which we don't want to override
+            if ((initialMaterial ?? keySet) === keys.getKeySet(keyIndex)) {
+              keys.setKeySet(ratchetedKeySet, keyIndex, ratchetResult);
+              // decryption was successful, set the new key index to reflect the ratcheted key set
+              keys.setCurrentKeyIndex(keyIndex);
+            }
+          }
+          return decryptedData;
+        } else {
+          /**
+           * Because we only set a new key once decryption has been successful,
+           * we can be sure that we don't need to reset the key to the initial material at this point
+           * as the key has not been updated on the keyHandler instance
+           */
+
+          workerLogger.warn('DataCryptor: maximum ratchet attempts exceeded');
+          throw new CryptorError(
+            `DataCryptor: valid key missing for participant ${keys.participantIdentity}`,
+            CryptorErrorReason.InvalidKey,
+            keys.participantIdentity,
+          );
+        }
+      } else {
+        throw new CryptorError(
+          `DataCryptor: Decryption failed: ${error.message}`,
+          CryptorErrorReason.InvalidKey,
+          keys.participantIdentity,
+        );
+      }
+    }
+  }
+}

package/src/e2ee/worker/ParticipantKeyHandler.ts

@@ -23,11 +23,12 @@ export class ParticipantKeyHandler extends (EventEmitter as new () => TypedEvent
 
   private decryptionFailureCounts: Array<number>;
 
-  private keyProviderOptions: KeyProviderOptions;
-
   private ratchetPromiseMap: Map<number, Promise<RatchetResult>>;
 
-  private participantIdentity: string;
+  readonly participantIdentity: string;
+
+  /** @internal */
+  readonly keyProviderOptions: KeyProviderOptions;
 
   /**
    * true if the current key has not been marked as invalid

package/src/e2ee/worker/e2ee.worker.ts

@@ -5,7 +5,9 @@ import { KEY_PROVIDER_DEFAULTS } from '../constants';
 import { CryptorErrorReason } from '../errors';
 import { CryptorEvent, KeyHandlerEvent } from '../events';
 import type {
+  DecryptDataResponseMessage,
   E2EEWorkerMessage,
+  EncryptDataResponseMessage,
   ErrorMessage,
   InitAck,
   KeyProviderOptions,
@@ -14,6 +16,7 @@ import type {
   RatchetResult,
   ScriptTransformOptions,
 } from '../types';
+import { DataCryptor } from './DataCryptor';
 import { FrameCryptor, encryptionEnabledMap } from './FrameCryptor';
 import { ParticipantKeyHandler } from './ParticipantKeyHandler';
 
@@ -81,6 +84,50 @@ onmessage = (ev) => {
           data.codec,
         );
         break;
+
+      case 'encryptDataRequest':
+        const {
+          payload: encryptedPayload,
+          iv,
+          keyIndex,
+        } = await DataCryptor.encrypt(
+          data.payload,
+          getParticipantKeyHandler(data.participantIdentity),
+        );
+        console.log('encrypted payload', {
+          original: data.payload,
+          encrypted: encryptedPayload,
+          iv,
+        });
+        postMessage({
+          kind: 'encryptDataResponse',
+          data: {
+            payload: encryptedPayload,
+            iv,
+            keyIndex,
+            uuid: data.uuid,
+          },
+        } satisfies EncryptDataResponseMessage);
+        break;
+
+      case 'decryptDataRequest':
+        const { payload: decryptedPayload } = await DataCryptor.decrypt(
+          data.payload,
+          data.iv,
+          getParticipantKeyHandler(data.participantIdentity),
+          data.keyIndex,
+        );
+        console.log('decrypted payload', {
+          original: data.payload,
+          decrypted: decryptedPayload,
+          iv: data.iv,
+        });
+        postMessage({
+          kind: 'decryptDataResponse',
+          data: { payload: decryptedPayload, uuid: data.uuid },
+        } satisfies DecryptDataResponseMessage);
+        break;
+
       case 'setKey':
         if (useSharedKey) {
           await setSharedKey(data.key, data.keyIndex);

package/src/e2ee/worker/sifPayload.ts

@@ -2,25 +2,29 @@ import type { VideoCodec } from '../..';
 
 //  Payload definitions taken from https://github.com/livekit/livekit/blob/master/pkg/sfu/downtrack.go#L104
 
-export const VP8KeyFrame8x8 = new Uint8Array([
+export const VP8KeyFrame8x8: Uint8Array = new Uint8Array([
   0x10, 0x02, 0x00, 0x9d, 0x01, 0x2a, 0x08, 0x00, 0x08, 0x00, 0x00, 0x47, 0x08, 0x85, 0x85, 0x88,
   0x85, 0x84, 0x88, 0x02, 0x02, 0x00, 0x0c, 0x0d, 0x60, 0x00, 0xfe, 0xff, 0xab, 0x50, 0x80,
 ]);
 
-export const H264KeyFrame2x2SPS = new Uint8Array([
+export const H264KeyFrame2x2SPS: Uint8Array = new Uint8Array([
   0x67, 0x42, 0xc0, 0x1f, 0x0f, 0xd9, 0x1f, 0x88, 0x88, 0x84, 0x00, 0x00, 0x03, 0x00, 0x04, 0x00,
   0x00, 0x03, 0x00, 0xc8, 0x3c, 0x60, 0xc9, 0x20,
 ]);
 
-export const H264KeyFrame2x2PPS = new Uint8Array([0x68, 0x87, 0xcb, 0x83, 0xcb, 0x20]);
+export const H264KeyFrame2x2PPS: Uint8Array = new Uint8Array([0x68, 0x87, 0xcb, 0x83, 0xcb, 0x20]);
 
-export const H264KeyFrame2x2IDR = new Uint8Array([
+export const H264KeyFrame2x2IDR: Uint8Array = new Uint8Array([
   0x65, 0x88, 0x84, 0x0a, 0xf2, 0x62, 0x80, 0x00, 0xa7, 0xbe,
 ]);
 
-export const H264KeyFrame2x2 = [H264KeyFrame2x2SPS, H264KeyFrame2x2PPS, H264KeyFrame2x2IDR];
+export const H264KeyFrame2x2: Uint8Array[] = [
+  H264KeyFrame2x2SPS,
+  H264KeyFrame2x2PPS,
+  H264KeyFrame2x2IDR,
+];
 
-export const OpusSilenceFrame = new Uint8Array([
+export const OpusSilenceFrame: Uint8Array = new Uint8Array([
   0xf8, 0xff, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

package/src/index.ts

@@ -1,5 +1,11 @@
 import { Mutex } from '@livekit/mutex';
-import { DataPacket_Kind, DisconnectReason, SubscriptionError, TrackType } from '@livekit/protocol';
+import {
+  DataPacket_Kind,
+  DisconnectReason,
+  Encryption_Type,
+  SubscriptionError,
+  TrackType,
+} from '@livekit/protocol';
 import { LogLevel, LoggerNames, getLogger, setLogExtension, setLogLevel } from './logger';
 import DefaultReconnectPolicy from './room/DefaultReconnectPolicy';
 import type { ReconnectContext, ReconnectPolicy } from './room/ReconnectPolicy';
@@ -33,12 +39,14 @@ import {
   createAudioAnalyser,
   getEmptyAudioStreamTrack,
   getEmptyVideoStreamTrack,
+  isAudioCodec,
   isAudioTrack,
   isBrowserSupported,
   isLocalParticipant,
   isLocalTrack,
   isRemoteParticipant,
   isRemoteTrack,
+  isVideoCodec,
   isVideoTrack,
   supportsAV1,
   supportsAdaptiveStream,
@@ -58,6 +66,8 @@ export * from './room/errors';
 export * from './room/events';
 export * from './room/track/Track';
 export * from './room/track/create';
+export * from './room/token-source/TokenSource';
+export * from './room/token-source/types';
 export { facingModeFromDeviceLabel, facingModeFromLocalTrack } from './room/track/facingMode';
 export * from './room/track/options';
 export * from './room/track/processor/types';
@@ -79,6 +89,7 @@ export {
   ConnectionState,
   CriticalTimers,
   DataPacket_Kind,
+  Encryption_Type,
   DefaultReconnectPolicy,
   DisconnectReason,
   LocalAudioTrack,
@@ -113,9 +124,11 @@ export {
   supportsDynacast,
   supportsVP9,
   Mutex,
+  isAudioCodec,
   isAudioTrack,
   isLocalTrack,
   isRemoteTrack,
+  isVideoCodec,
   isVideoTrack,
   isLocalParticipant,
   isRemoteParticipant,

package/src/logger.ts

@@ -12,6 +12,7 @@ export enum LogLevel {
 export enum LoggerNames {
   Default = 'livekit',
   Room = 'livekit-room',
+  TokenSource = 'livekit-token-source',
   Participant = 'livekit-participant',
   Track = 'livekit-track',
   Publication = 'livekit-track-publication',

package/src/options.ts

@@ -87,10 +87,16 @@ export interface InternalRoomOptions {
 
   webAudioMix: boolean | WebAudioSettings;
 
+  // /**
+  //  * @deprecated Use `encryption` field instead.
+  //  */
+  e2ee?: E2EEOptions;
+
   /**
    * @experimental
+   * Options for enabling end-to-end encryption.
    */
-  e2ee?: E2EEOptions;
+  encryption?: E2EEOptions;
 
   loggerName?: string;
 }
@@ -98,7 +104,7 @@ export interface InternalRoomOptions {
 /**
  * Options for when creating a new room
  */
-export interface RoomOptions extends Partial<InternalRoomOptions> {}
+export interface RoomOptions extends Partial<Omit<InternalRoomOptions, 'encryption'>> {}
 
 /**
  * @internal