Polycom SIP 2.2.0 manual It can decrypt the files that were encrypted on the server, Manner

A key is generated by the utility and must be downloaded to the phone so that

it can decrypt the files that were encrypted on the server. The

device.sec.configEncryption.key configuration file parameter is used to

set the key on the phone. The utility generates a random key and the

encryption is Advanced Encryption Standard (AES) 128 in Cipher Block

Chaining (CBC) mode. An example key would look like this:

Crypt=1;KeyDesc=companyNameKey1;Key=06a9214036b8a15b512e03d534120006;

If the phone doesn't have a key, it must be downloaded to the phone in plain

text (a potential security hole if not using HTTPS). If the phone already has a

key, a new key can be downloaded to the phone encrypted using the old key

(refer to Changing the Key on the Phone on page C-5). At a later date, new

phones from the factory will have a key pre-loaded in them. This key will be

changed at regular intervals to enhance security

It is recommended that all keys have unique descriptive strings in order to

allow simple identification of which key was used to encrypt a file. This makes

boot server management easier.

After encrypting a configuration file, it is useful to rename the file to avoid

confusing it with the original version, for example rename sip.cfg to sip.enc.

However, the directory and override filenames cannot be changed in this

manner.

You can check whether an encrypted file is the same as an unencrypted file by:

1. Run the configFileEncrypt utility on the unencrypted file with the "-d"

option. This shows the "digest" field.

2. Look at the encrypted file using WordPad and check the first line that

shows a "Digest=…." field. If the two fields are the same, then the

encrypted and unencrypted file are the same.

Note

If a phone downloads an encrypted file that it cannot decrypt, the action is logged,

an error message displays, and the phone reboots. The phone will continue to do

this until the boot server provides an encrypted file that can be read, an

unencrypted file, or the file is removed from the master configuration file list.

Note

The SoundPoint IP 300 and 500 phones will always fail at decrypting files. These

phones will recognize that a file is encrypted, but cannot decrypt it and will display

an error. This information is logged. Encrypted configuration files can only be

decrypted on the SoundPoint IP 301, 320, 330, 430, 501,550, 600, 601, and 650

and the SoundStation IP 4000 phones.

The master configuration file cannot be encrypted on the boot server. This file is

downloaded by the bootROM that does not recognize encrypted files. For more

information, refer to Master Configuration Files on page 2-5.