diff --git a/src/app/spreed-webrtc-server/channelling.go b/src/app/spreed-webrtc-server/channelling.go
index c37629ba..f3c1675b 100644
--- a/src/app/spreed-webrtc-server/channelling.go
+++ b/src/app/spreed-webrtc-server/channelling.go
@@ -195,6 +195,11 @@ type DataIncoming struct {
 	Sessions       *DataSessions
 	Room           *DataRoom
 	Iid            string `json:",omitempty"`
+
+	EncryptionRegister         *DataEncryptionRegister
+	EncryptionRequestKeyBundle *DataEncryptionRequestKeyBundle
+	EncryptionKeyBundle        *DataEncryptionKeyBundle
+	Encrypted                  *DataEncrypted
 }
 
 type DataOutgoing struct {
@@ -231,3 +236,38 @@ type DataAuthentication struct {
 	Type           string
 	Authentication *SessionToken
 }
+
+type DataEncryptionRegisterSignedPreKey struct {
+	Id        int64
+	Key       string
+	Signature string
+}
+
+type DataEncryptionRegister struct {
+	RegistrationId         int64
+	Identity               string
+	LastResortSignedPreKey DataEncryptionRegisterSignedPreKey
+}
+
+type DataEncryptionRequestKeyBundle struct {
+	To   string `json:",omitempty"`
+	Type string `json:",omitempty"`
+}
+
+type DataEncryptionKeyBundle struct {
+	To                    string `json:",omitempty"`
+	Type                  string `json:",omitempty"`
+	Identity              string
+	PreKeyId              int64  `json:",omitempty"`
+	PreKey                string `json:",omitempty"`
+	SignedPreKeyId        int64  `json:",omitempty"`
+	SignedPreKey          string `json:",omitempty"`
+	SignedPreKeySignature string `json:",omitempty"`
+}
+
+type DataEncrypted struct {
+	To      string `json:",omitempty"`
+	Type    string `json:",omitempty"`
+	Message string
+	Data    string
+}
diff --git a/src/app/spreed-webrtc-server/channelling_api.go b/src/app/spreed-webrtc-server/channelling_api.go
index f44e4671..1ca775ee 100644
--- a/src/app/spreed-webrtc-server/channelling_api.go
+++ b/src/app/spreed-webrtc-server/channelling_api.go
@@ -156,6 +156,30 @@ func (api *channellingAPI) OnIncoming(sender Sender, session *Session, msg *Data
 		}
 
 		return api.HandleRoom(session, msg.Room)
+	case "EncryptionRegister":
+		if msg.EncryptionRegister == nil {
+			return nil, NewDataError("bad_request", "message did not contain EncryptionRegister")
+		}
+
+		api.HandleEncryptionRegister(session, msg.EncryptionRegister)
+	case "EncryptionRequestKeyBundle":
+		if msg.EncryptionRequestKeyBundle == nil {
+			return nil, NewDataError("bad_request", "message did not contain EncryptionRequestKeyBundle")
+		}
+
+		return api.HandleEncryptionRequestKeyBundle(session, msg.EncryptionRequestKeyBundle)
+	case "EncryptionKeyBundle":
+		if msg.EncryptionKeyBundle == nil {
+			return nil, NewDataError("bad_request", "message did not contain EncryptionKeyBundle")
+		}
+
+		return api.HandleEncryptionKeyBundle(session, msg.EncryptionKeyBundle)
+	case "Encrypted":
+		if msg.Encrypted == nil {
+			return nil, NewDataError("bad_request", "message did not contain Encrypted")
+		}
+
+		return api.HandleEncrypted(session, msg.Encrypted)
 	default:
 		log.Println("OnText unhandled message type", msg.Type)
 	}
@@ -327,3 +351,42 @@ func (api *channellingAPI) HandleRoom(session *Session, room *DataRoom) (*DataRo
 	}
 	return room, err
 }
+
+func (api *channellingAPI) HandleEncryptionRegister(session *Session, register *DataEncryptionRegister) {
+	session.encryptionRegistration = register
+}
+
+func (api *channellingAPI) HandleEncryptionRequestKeyBundle(session *Session, request *DataEncryptionRequestKeyBundle) (interface{}, error) {
+	if request.To == "" {
+		return nil, NewDataError("empty_peer", "cannot send to empty peer")
+	}
+	// TODO(fancycode): Check if peer is online and return bundle based on
+	// registration data if not.
+	message := &DataEncryptionRequestKeyBundle{
+		Type: "EncryptionRequestKeyBundle",
+	}
+	session.Unicast(request.To, message)
+	return nil, nil
+}
+
+func (api *channellingAPI) HandleEncryptionKeyBundle(session *Session, bundle *DataEncryptionKeyBundle) (interface{}, error) {
+	if bundle.To == "" {
+		return nil, NewDataError("empty_peer", "cannot send to empty peer")
+	}
+	message := *bundle
+	message.To = ""
+	message.Type = "EncryptionKeyBundle"
+	session.Unicast(bundle.To, message)
+	return nil, nil
+}
+
+func (api *channellingAPI) HandleEncrypted(session *Session, data *DataEncrypted) (interface{}, error) {
+	if data.To == "" {
+		return nil, NewDataError("empty_peer", "cannot send to empty peer")
+	}
+	message := *data
+	message.To = ""
+	message.Type = "Encrypted"
+	session.Unicast(data.To, message)
+	return nil, nil
+}
diff --git a/src/app/spreed-webrtc-server/session.go b/src/app/spreed-webrtc-server/session.go
index 84043147..07372ee0 100644
--- a/src/app/spreed-webrtc-server/session.go
+++ b/src/app/spreed-webrtc-server/session.go
@@ -56,6 +56,8 @@ type Session struct {
 	subscribers   map[string]*Session
 	disconnected  bool
 	replaced      bool
+
+	encryptionRegistration *DataEncryptionRegister
 }
 
 func NewSession(manager SessionManager, unicaster Unicaster, broadcaster Broadcaster, rooms RoomStatusManager, buddyImages ImageCache, attestations *securecookie.SecureCookie, id, sid string) *Session {