Encrypting configuration files, Encrypting, Configuration files – Polycom SOUNDPOINT SIP 3.1 User Manual
Page 296
Administrator’s Guide SoundPoint IP / SoundStation IP
C - 4
Encrypting Configuration Files
The phone can recognize encrypted files, which it downloads from the boot
server and it can encrypt files before uploading them to the boot server. There
must be an encryption key on the phone to perform these operations.
Configuration files (excluding the master configuration file), contact
directories, and configuration override files can be encrypted.
A separate SDK, with a readme file, is provided to facilitate key generation and
configuration file encryption and decrypt on a UNIX or Linux server. The
utility is distributed as source code that runs under the UNIX operating
system. For more information, contact Polycom Technical Support.
A key is generated by the utility and must be downloaded to the phone so that
it can decrypt the files that were encrypted on the server. The
device.sec.configEncryption.key
configuration file parameter is used to
set the key on the phone. The utility generates a random key and the
encryption is Advanced Encryption Standard (AES) 128 in Cipher Block
Chaining (CBC) mode. An example key would look like this:
Crypt=1;KeyDesc=companyNameKey1;Key=06a9214036b8a15b512e03d534120006;
If the phone doesn't have a key, it must be downloaded to the phone in plain
text (a potential security hole if not using HTTPS). If the phone already has a
key, a new key can be downloaded to the phone encrypted using the old key
(refer to
). At a later date, new
phones from the factory will have a key pre-loaded in them. This key will be
changed at regular intervals to enhance security
It is recommended that all keys have unique descriptive strings in order to
allow simple identification of which key was used to encrypt a file. This makes
boot server management easier.
After encrypting a configuration file, it is useful to rename the file to avoid
confusing it with the original version, for example rename sip.cfg to sip.enc.
However, the directory and override filenames cannot be changed in this
manner.
Polycom endeavors to maintain a built-in list of the most commonly used CA
Certificates. Due to memory contraints, we cannot keep as thorough a list as some
other applications (for example, browsers). If you are using a certificate from a
commercial Certificate Authority not in the list above, you may submit a Feature
Request for Polycom to add your CA to the trusted list by visiting
nt, you can use the Custom Certificate
method to load your particular CA certificate into the phone (refer to “Technical
Bulletin 17877: using Custom Certificates on SoundPoint IP Phones“ at
).