BreachExpress

Cybersecurity, explained for the rest of us.

Encryption

Signal Voice Calls: How End-to-End Encryption Actually Works

Margot 'Magic' Thorne@magicthorneJune 5, 202612 min read
Diagram showing encrypted voice packets flowing between two phones with padlock symbols

When you tap the phone icon in Signal, your voice doesn't travel the way a regular phone call does. Regular calls route through your carrier's network in a format that anyone with access to that network can intercept and hear. Signal voice calls encrypt your audio before it leaves your device and decrypt it only on the recipient's device. The carrier sees data flowing, but not the conversation. Signal's servers relay packets, but cannot decrypt them. The cryptographic keys that unlock your voice exist only on your phone and the phone of the person you're calling.

This is end-to-end encryption for voice. The mechanism is elegant, the implementation is complex, and the result is that your conversation stays between you and the person on the other end. Here's how it actually works.

The Problem with Regular Phone Calls

A traditional phone call, whether landline or cellular, transmits your voice as audio signals through infrastructure controlled by your carrier. On landlines, the audio travels as electrical signals through copper wires. On cellular networks, your voice is digitized, compressed, and transmitted as radio waves to cell towers, then routed through switching centers to reach the recipient.

At every point in that chain, the audio exists in a form that can be intercepted and reconstructed. Law enforcement can tap phone lines with a warrant. Carriers can access call content. Anyone with physical access to the right equipment along the path can listen. The audio is protected by physical security and legal restrictions, not cryptography.

Some modern cellular protocols include encryption between your phone and the cell tower. That protects against casual interception by someone with a radio scanner. But once the call reaches the carrier's network, it travels unencrypted through their infrastructure. The carrier hears everything. Anyone who compromises carrier systems hears everything. Governments with legal authority to compel carriers hear everything.

This is the baseline. Most voice calls in 2026 still work this way. When you pick up your phone and dial a number, you're trusting a chain of infrastructure you don't control with the content of your conversation.

How Signal Voice Calls Work Differently

Signal voice calls use Voice over Internet Protocol. Instead of routing through your carrier's voice network, the call travels as data packets over the internet. Your voice is digitized, encrypted, and sent through Signal's servers to the recipient, where it's decrypted and played back as audio.

The critical difference is encryption. Before your voice leaves your device, Signal encrypts it using keys that exist only on your phone and the recipient's phone. The encrypted audio packets travel through the internet, through Signal's servers, and arrive at the recipient's device, where they're decrypted using the matching key.

Signal's servers relay the packets. They see that data is flowing from your IP address to the recipient's IP address. They see the volume of data, the timing, the duration of the call. But they cannot decrypt the audio. The keys never leave your device and the recipient's device. Without the keys, the encrypted packets are meaningless.

This is end-to-end encryption. The plaintext audio exists only at the endpoints, your device and the recipient's device. Everything in between sees only ciphertext.

The Signal Protocol for Voice

Signal voice calls use an adapted version of the Signal Protocol, the same cryptographic framework that protects Signal text messages. The protocol was designed by Open Whisper Systems, the organization that created Signal, and it's now used by WhatsApp, Facebook Messenger's Secret Conversations, and Google Messages for RCS chats.

For voice calls, the protocol establishes a secure session between your device and the recipient's device. This happens through a key exchange. When you initiate a call, your device and the recipient's device exchange public keys and negotiate a shared secret using the Double Ratchet Algorithm. That shared secret becomes the basis for encrypting and decrypting the audio stream.

The Double Ratchet Algorithm generates new encryption keys for every packet. Your voice is broken into small chunks, each chunk is encrypted with a unique key, and the keys evolve as the call progresses. If an attacker somehow obtains the key for one packet, they can decrypt only that packet. The keys for previous and future packets remain secure. This property is called forward secrecy.

The audio codec Signal uses is Opus, an open-source codec designed for low-latency, high-quality voice transmission. Opus compresses your voice into data packets small enough to transmit in real time without noticeable delay. Signal encrypts each Opus packet before transmission and decrypts it on the recipient's end before playback.

The result is a voice call that sounds like a regular phone call but travels encrypted through the internet instead of unencrypted through your carrier's voice network.

What Signal's Servers See

Signal's servers relay encrypted packets between your device and the recipient's device. They see your IP address, the recipient's IP address, the timestamp of the call, and the duration. They see the volume of data transmitted. They do not see who you're calling if both parties use Signal, because Signal doesn't require phone numbers to be transmitted in plaintext for call setup. The server knows a call is happening, but the content is opaque.

This is a meaningful distinction. Your carrier knows who you call, when you call, how long you talk, and where you are when you make the call. They also have access to the audio. Signal knows less. They know a call happened, they know roughly how long it lasted, and they know the IP addresses involved. They cannot hear the conversation, and they cannot definitively link the call to your identity unless they correlate IP addresses with other data.

Signal's business model supports this. They're a nonprofit funded by donations and grants. They don't sell ads. They don't monetize user data. Their incentive structure aligns with privacy. That doesn't make them immune to compromise, but it removes the financial motive to collect more data than necessary.

Verifying Encryption: Safety Numbers

Signal provides a mechanism to verify that your call is actually encrypted and that you're talking to the person you think you're talking to. It's called a safety number, and it's a cryptographic fingerprint of the encryption keys being used for the call.

Each Signal conversation, whether text or voice, has a unique safety number. You can view it in the app by tapping the contact's name and selecting "View Safety Number." The safety number is a string of digits derived from your public key and the recipient's public key. If the safety numbers match on both devices, you're using the correct keys and the call is encrypted end-to-end.

You can verify the safety number in person by comparing the digits displayed on your screen with the digits on the recipient's screen. If they match, you know the call is secure and no one is intercepting it with a man-in-the-middle attack. If they don't match, something is wrong.

Most people don't verify safety numbers. For everyday conversations, the risk of a targeted man-in-the-middle attack is low. But if you're discussing something sensitive, or if you're a high-value target, verifying the safety number is the only way to be certain that your call is secure.

What Metadata Remains

Encryption protects the content of your call, but it doesn't hide the fact that a call happened. This is metadata, and it's valuable.

Your carrier knows you're using Signal because they see data flowing to Signal's servers. They don't know who you're calling or what you're saying, but they know you made a call, they know when, and they know how long it lasted. If they want to, they can correlate that timing with other data to infer who you might be calling.

Your IP address is visible to Signal's servers and to anyone monitoring your internet connection. If you're on your home WiFi, your IP address ties the call to your physical location. If you're on cellular data, your IP address ties the call to your carrier and your approximate location.

Signal's servers log minimal metadata, and they claim to delete it quickly. But the logs exist, and they can be subpoenaed. In 2021, Signal provided records to the FBI in response to a subpoena, and the records contained timestamps and phone numbers, but no message content. The same applies to voice calls. Signal can confirm that a call happened, but they cannot provide the audio.

If metadata is a concern, you can route Signal through a VPN or Tor. That hides your IP address from Signal's servers and from anyone monitoring your internet connection. It doesn't hide the fact that you're using Signal from your carrier or ISP, but it adds a layer of obfuscation.

Voice Call Quality and Latency

Encrypted voice calls face a tradeoff between security and performance. Encryption adds computational overhead. Your device must encrypt each audio packet before transmission and decrypt each incoming packet before playback. This takes time, and if it takes too much time, the call becomes choppy or laggy.

Signal optimizes for low latency. The Opus codec compresses audio efficiently, and the encryption is fast enough that the delay is usually imperceptible. On a good internet connection, Signal voice calls sound as clear as regular phone calls. On a poor connection, the call quality degrades, but that's a function of bandwidth, not encryption.

The encryption itself doesn't noticeably affect call quality. What affects call quality is the internet connection. If you're on congested WiFi or weak cellular signal, the encrypted packets arrive late or out of order, and the audio stutters. The same would happen with an unencrypted VoIP call under the same conditions.

Signal's servers are distributed globally to minimize latency. When you make a call, your packets route through the nearest server, which relays them to the recipient's nearest server. This reduces the distance the packets travel and keeps latency low.

Comparing Signal to Other Encrypted Voice Apps

Signal isn't the only app offering encrypted voice calls. WhatsApp, FaceTime, and Google Meet all claim to encrypt calls end-to-end. Here's how they compare.

WhatsApp uses the Signal Protocol for voice calls, just like Signal. The encryption is identical. The difference is that WhatsApp is owned by Meta, and Meta has access to more metadata than Signal. WhatsApp knows who you call, when you call, and how long you talk. They claim not to store this data long-term, but the data flows through their servers. Signal collects less metadata by design.

FaceTime encrypts calls end-to-end, but it's a closed system. Apple controls the protocol, the servers, and the implementation. You can't audit the code. You have to trust Apple's claims. Apple has a strong privacy reputation, but the lack of transparency is a meaningful difference. Signal's protocol is open-source and audited by independent researchers.

Google Meet offers end-to-end encryption as an optional feature, but it's not enabled by default. Most Google Meet calls are encrypted in transit, meaning the data is encrypted between your device and Google's servers, but Google can decrypt the call on their end. Signal encrypts calls end-to-end by default, with no option to disable it.

Zoom introduced end-to-end encryption in 2020, but it's only available for certain types of meetings and requires all participants to enable it. Like Google Meet, most Zoom calls are encrypted in transit but not end-to-end. Signal encrypts every call end-to-end, automatically, with no configuration required.

When Encrypted Voice Calls Matter

For most conversations, the threat model doesn't require end-to-end encryption. If you're calling your spouse to ask what's for dinner, the risk of interception is negligible. Your carrier could listen, but they won't. Law enforcement could tap your call with a warrant, but they won't unless you're under investigation.

Encrypted voice calls matter when the content of your conversation is sensitive enough that you don't want to rely on legal protections and institutional trust. Journalists talking to sources. Activists coordinating protests. Lawyers discussing cases. Doctors consulting on patient care. People in abusive relationships arranging safe exits.

In these scenarios, the risk isn't hypothetical. Governments do surveil journalists. Abusers do monitor partners' phone calls. Corporations do intercept competitors' communications. End-to-end encryption removes the technical capability to intercept, regardless of legal authority or institutional policy.

The tradeoff is convenience. Signal requires both parties to install the app and create accounts. You can't call someone's regular phone number through Signal unless they're also using Signal. For everyday calls, that friction is often too high. For sensitive calls, it's worth it.

The Legal and Political Context

Encrypted voice calls exist in a contested legal space. Law enforcement agencies argue that end-to-end encryption enables criminals to communicate without oversight. They've pushed for backdoors, technical mechanisms that would allow lawful access to encrypted communications with a warrant.

Signal and other privacy advocates argue that backdoors are technically infeasible without compromising security for everyone. A backdoor that works for law enforcement also works for attackers. You cannot build a system that's secure against everyone except authorized parties, because the mechanism that grants access to authorized parties can be exploited by unauthorized parties.

This debate has played out in courts and legislatures for decades. In the 1990s, the U.S. government tried to mandate the Clipper Chip, a hardware encryption device with a built-in backdoor. The proposal failed. In 2016, the FBI tried to compel Apple to unlock an iPhone used by the San Bernardino shooter. Apple refused, and the FBI eventually found another way in. In 2026, the debate continues.

Signal's position is unambiguous. They will not build backdoors. They will not weaken encryption. If compelled by law to do so, they've indicated they would shut down rather than comply. This is a principled stance, but it's also pragmatic. Once you build a backdoor, you lose the trust of users who rely on your app for safety.

Setting Up Signal for Voice Calls

If you want to use Signal for encrypted voice calls, here's the step-by-step process.

Download Signal from the App Store or Google Play Store. Do not download it from third-party sites. The official app is free and open-source.

Open the app and register your phone number. Signal uses your phone number as your identifier. You'll receive a verification code via SMS. Enter the code to complete registration.

Grant Signal permission to access your contacts. This allows Signal to show you which of your contacts are already using Signal. If you don't want to grant contact access, you can manually add contacts by entering their phone numbers.

To make a voice call, open a conversation with a contact who uses Signal and tap the phone icon at the top of the screen. The call will connect over the internet using end-to-end encryption.

During the call, you can verify the safety number by tapping the screen to bring up the call controls, then tapping the information icon. Compare the safety number on your screen with the safety number on the recipient's screen. If they match, the call is secure.

Signal also supports group voice calls with up to 40 participants. The encryption works the same way. Each participant's audio is encrypted end-to-end, and Signal's servers relay the packets without decrypting them.

Common Misconceptions About Signal Voice Calls

Some people believe Signal voice calls are untraceable. They're not. Your carrier knows you're using Signal. Signal's servers know a call happened. If you're a high-value target, sophisticated adversaries can analyze metadata to infer who you're calling and when.

Some people believe Signal is immune to lawful interception. It's not. If law enforcement has physical access to your unlocked device, they can listen to your calls in real time. If they install spyware on your device, they can record your calls before encryption or after decryption. End-to-end encryption protects the transmission, not the endpoints.

Some people believe Signal's encryption is unbreakable. It's not. Cryptography is only as strong as its implementation. If there's a bug in Signal's code, an attacker could exploit it to decrypt calls. Signal's code is open-source and audited, which reduces this risk, but it doesn't eliminate it. No system is perfectly secure.

Some people believe Signal calls are slower or lower quality than regular calls because of encryption. They're not. The encryption overhead is negligible. Call quality depends on your internet connection, not the encryption.

What Happens If Signal Gets Compromised

If Signal's servers are compromised, the attacker gains access to metadata, timestamps, IP addresses, call durations. They do not gain access to call content, because the servers never have the keys to decrypt it.

If Signal's code is compromised, say, through a malicious update, an attacker could potentially insert a backdoor that sends decryption keys to a third party. This is why Signal's code is open-source and why security researchers audit it. A malicious update would be detected quickly. But the window of vulnerability exists.

If your device is compromised, all bets are off. An attacker with access to your unlocked device can listen to your calls, read your messages, and access your encryption keys. End-to-end encryption protects data in transit, not data at rest on a compromised device.

The most realistic threat isn't a compromise of Signal's infrastructure. It's a compromise of your device or the recipient's device. Keep your phone updated, use a strong passcode, enable biometric authentication, and don't install apps from untrusted sources.

The Broader Context: Why Encryption Matters

In Star Trek: The Next Generation, the crew of the Enterprise communicates through an open comm system. Anyone on the ship can listen to anyone else's conversation unless they explicitly encrypt the channel. It's a feature of the utopian future Roddenberry imagined, a world where privacy is less important than transparency and trust.

We don't live in that world. We live in a world where governments surveil citizens, corporations monetize data, and attackers exploit vulnerabilities. Encryption is the technical mechanism that gives individuals control over their own communications. It's not about hiding wrongdoing. It's about protecting the baseline expectation that a private conversation stays private.

Signal voice calls are one implementation of that principle. They're not perfect. They don't solve every problem. But they give you a tool to have a conversation that no one else can hear, and in 2026, that's worth something.

Two people having a private conversation through encrypted Signal voice call
→ Filed under
signalencryptionvoice-callsprivacyend-to-end-encryptionmessaging-apps
ShareXLinkedInFacebook

Frequently asked questions

Yes. Signal encrypts voice calls so only you and the person you're calling can hear the conversation. Not Signal, not your carrier, not anyone intercepting the connection.
Regular phone calls travel unencrypted through your carrier's network. Signal encrypts the audio before it leaves your device and decrypts it only on the recipient's device.
Your carrier sees that data is flowing between your phone and Signal's servers, but they cannot hear the conversation or determine who you're calling.
They see encrypted packets. Without the cryptographic keys that exist only on your device and the recipient's device, the intercepted data is meaningless noise.
Both use the Signal Protocol, but voice calls adapt it for real-time audio transmission with different packet handling and lower latency requirements.

You might also like

Illustration of a message traveling between two phones in an encrypted tunnel with a lock icon
Encryption

What Is End-to-End Encryption and Which Apps Actually Have It?

End-to-end encryption protects messages so only the sender and recipient can read them. Here's how it works, why it matters, and which apps actually deliver.

16 min · Margot 'Magic' Thorne · May 1

Encrypted vault file shown as locked container with attacker attempting decryption
Data Breaches

What happens when a password manager gets breached, and are they still safe after LastPass

Password managers store encrypted vaults. When breached, attackers get ciphertext, not plaintext passwords. Here's the mechanism and what actually breaks.

11 min · Margot 'Magic' Thorne · May 2

iPhone and Android phone side by side with security shield icons
General

iPhone vs Android: which platform actually protects you better

iPhones and Android phones secure your data differently. Here's how each platform handles updates, app permissions, encryption, and malware—and which matters more.

11 min · Margot 'Magic' Thorne · May 8