Polycom SOUNDPOINT SIP 2.2.0 User Manual
Page 228
Administrator’s Guide SoundPoint IP / SoundStation IP
C - 4
A key is generated by the utility and must be downloaded to the phone so that
it can decrypt the files that were encrypted on the server. The
device.sec.configEncryption.key
configuration file parameter is used to
set the key on the phone. The utility generates a random key and the
encryption is Advanced Encryption Standard (AES) 128 in Cipher Block
Chaining (CBC) mode. An example key would look like this:
Crypt=1;KeyDesc=companyNameKey1;Key=06a9214036b8a15b512e03d534120006;
If the phone doesn't have a key, it must be downloaded to the phone in plain
text (a potential security hole if not using HTTPS). If the phone already has a
key, a new key can be downloaded to the phone encrypted using the old key
(refer to
). At a later date, new
phones from the factory will have a key pre-loaded in them. This key will be
changed at regular intervals to enhance security
It is recommended that all keys have unique descriptive strings in order to
allow simple identification of which key was used to encrypt a file. This makes
boot server management easier.
After encrypting a configuration file, it is useful to rename the file to avoid
confusing it with the original version, for example rename sip.cfg to sip.enc.
However, the directory and override filenames cannot be changed in this
manner.
You can check whether an encrypted file is the same as an unencrypted file by:
1.
Run the configFileEncrypt utility on the unencrypted file with the "-d"
option. This shows the "digest" field.
2.
Look at the encrypted file using WordPad and check the first line that
shows a "Digest=…." field. If the two fields are the same, then the
encrypted and unencrypted file are the same.
Note
If a phone downloads an encrypted file that it cannot decrypt, the action is logged,
an error message displays, and the phone reboots. The phone will continue to do
this until the boot server provides an encrypted file that can be read, an
unencrypted file, or the file is removed from the master configuration file list.
Note
The SoundPoint IP 300 and 500 phones will always fail at decrypting files. These
phones will recognize that a file is encrypted, but cannot decrypt it and will display
an error. This information is logged. Encrypted configuration files can only be
decrypted on the SoundPoint IP 301, 320, 330, 430, 501,550, 600, 601, and 650
and the SoundStation IP 4000 phones.
The master configuration file cannot be encrypted on the boot server. This file is
downloaded by the bootROM that does not recognize encrypted files. For more
information, refer to
on page