Administrator’s Guide for SIP-T58V/T58A/T56A/CP960 IP Phones
326
Configuration Files Encryption and Decryption
Encrypted configuration files can be downloaded from the provisioning server to protect against unauthorized access
and tampering of sensitive information (for example, login passwords, registration information).
You can encrypt the configuration files using the encryption tools. You can also configure the <MAC>-local.cfg files
to be automatically encrypted using 16-character symmetric keys when uploading to the server (by setting “stat-
ic.auto_provision.encryption.config” to 1).
For security reasons, you should upload encrypted configuration files, <xx_Security>.enc files to the root directory of
the provisioning server. During auto provisioning, the phone requests to download the boot file first and then down-
load the referenced configuration files. For example, the phone downloads an encrypted account.cfg file. The phone
will request to download <account_Security>.enc file (if enabled) and decrypt it into the plaintext key (for example,
key2) using the built-in key (for example, key1). Then the IP phone decrypts account.cfg file using key2. After decryp-
tion, the phone resolves configuration files and updates configuration settings onto the IP phone system.
Encryption and Decryption Configuration
The following table lists the parameters you can use to configure the encryption and decryption.
Parameter static.auto_provision.update_file_mode <y0000000000xx>.cfg
Description It enables or disables the phone only to download the encrypted files.
Permitted
Values
0-Disabled, the phone will download the configuration files (for example, sip.cfg, account.cfg, <MAC>-
local.cfg) and <MAC>-contact.xml file from the server during auto provisioning no matter whether the
files are encrypted or not. And then resolve these files and update settings onto the IP phone system.
1-Enabled, the phone will only download the encrypted configuration files (for example, sip.cfg, accoun-
t.cfg, <MAC>-local.cfg) or <MAC>-contact.xml file from the server during auto provisioning, and then
resolve these files and update settings onto the IP phone system.
Default 0
Parameter static.auto_provision.aes_key_in_file <y0000000000xx>.cfg
Description It enables or disables the phone to decrypt configuration files using the encrypted AES keys.
Permitted
Values
0-Disabled, the phone will decrypt the encrypted configuration files using plaintext AES keys configured
on the IP phone.
1-Enabled, the phone will download <xx_Security>.enc files (for example, <sip_Security>.enc, <account_
Security>.enc) during auto provisioning, and then decrypts these files into the plaintext keys (for
example, key2, key3) respectively using the phone built-in key (for example, key1). The IP phone then
decrypts the encrypted configuration files using the corresponding key (for example, key2, key3).
Default 0
Parameter static.auto_provision.aes_key_16.com <y0000000000xx>.cfg
Description
It configures the plaintext AES key for encrypting/decrypting the Common CFG/Custom CFG file.
The valid characters contain: 0 ~ 9, A ~ Z, a ~ z and the following special characters are also supported: #
$ % * + , - . : = ? @ [ ] ^ _ { } ~.
Example:
static.auto_provision.aes_key_16.com = 0123456789abcdef
Note: For decrypting, it works only if “static.auto_provision.aes_key_in_file” is set to 0 (Disabled). If the
downloaded MAC-Oriented file is encrypted and the parameter “static.auto_provision.aes_key_16.mac” is
To Next Page
Loading...
Need help?
General
