Configuration Files Encryption Tools; Configuration Files Encryption And Decryption; Contact Files Encryption And Decryption; Encryption And Decryption Configuration - Yealink SIP-T2 Series Administrator's Manual

Administrator's Guide for SIP-T2 Series/T4 Series/T5 Series/CP920 IP Phones

Configuration Files Encryption Tools

Configuration Files Encryption and Decryption

Contact Files Encryption and Decryption

Encryption and Decryption Configuration

Example: Encrypting Configuration Files
Configuration Files Encryption Tools
Yealink provides three configuration files encryption tools:
Config_Encrypt_Tool.exe (via graphical tool for Windows platform)
l
Config_Encrypt.exe (via DOS command line for Windows platform)
l
yealinkencrypt (for Linux platform)
l
The encryption tools encrypt plaintext configuration files (for example, account.cfg, <y0000000000xx>.cfg,
<MAC>.cfg) (one by one or in batch) using 16-character symmetric keys (the same or different keys for configuration
files) and generate encrypted configuration files with the same file name as before.
These tools also encrypt the plaintext 16-character symmetric keys using a fixed key, which is the same as the one built
in the IP phone, and generate new files named as <xx_Security>.enc (xx is the name of the configuration file, for
example, y000000000028_Security.enc for y000000000028.cfg file, account_Security.enc for account.cfg). These tools
generate another new file named as Aeskey.txt to store the plaintext 16-character symmetric keys for each con-
figuration file.
Configuration Files Encryption and Decryption
Encrypted configuration files can be downloaded from the provisioning server to protect against unauthorized access
and tampering of sensitive information (for example, login passwords, registration information).
You can encrypt the configuration files using the encryption tools. You can also configure the <MAC>-local.cfg files
to be automatically encrypted using 16-character symmetric keys when uploading to the server (by setting "stat-
ic.auto_provision.encryption.config" to 1).
For security reasons, you should upload encrypted configuration files, <xx_Security>.enc files to the root directory of
the provisioning server. During auto provisioning, the IP phone requests to download the boot file first and then down-
load the referenced configuration files. For example, the IP phone downloads an encrypted account.cfg file. The IP
phone will request to download <account_Security>.enc file (if enabled) and decrypt it into the plaintext key (for
example, key2) using the built-in key (for example, key1). Then the IP phone decrypts account.cfg file using key2. After
decryption, the IP phone resolves configuration files and updates configuration settings onto the IP phone system.
Contact Files Encryption and Decryption
Encrypted contact files can be used to protect against unauthorized access and tampering of private information (for
example, contact number). It is helpful for protecting trade secrets.
You can configure the contact files to be automatically encrypted using 16-character symmetric keys (configured by
"static.auto_provision.aes_key_16.mac") when uploading to the server (by setting "static.auto_pro-
vision.encryption.directory=1"). The encrypted contact files have the same file names as before. The encrypted contact
files can be downloaded from the server and decrypted using 16-character symmetric keys during auto provisioning. If
the parameter "static.auto_provision.aes_key_16.mac" is left blank, "static.auto_provision.aes_key_16.com" will be used.
If the downloaded contact files are encrypted, the IP phone will try to decrypt <MAC>-contact.xml file using the plain-
text AES key. After decryption, the IP phone resolves contact files and updates contact information onto the IP phone
system.
Encryption and Decryption Configuration
The following table lists the parameters you can use to configure the encryption and decryption.
390