Encrypt Configuration Files - Polycom CX5500 Administrator's Manual

Polycom CX5500 Unified Conference Station Administrator's Guide

Encrypt Configuration Files

The phone can recognize encrypted files. Phones can download encrypted files from the provisioning
server and can encrypt files before uploading them to the provisioning server. There must be an
encryption key on the phone to perform these operations. You can encrypt configuration files (excluding
the master configuration file), contact directories, and configuration override files.
You can generate your own 32 hex-digit, 128 bit key or use Polycom's Software Development Kit (SDK)
to generate a key and to encrypt and decrypt configuration files on a UNIX or Linux server. The SDK is
distributed as source code that runs under the UNIX operating system.
Web Info: Using the SDK to Encrypt Configuration Files
To request the SDK and quickly install the generated key, see
Polycom UC Software Configuration
The SDK generates a random key and applies Advanced Encryption Standard (AES) 128 in Cipher Block
Chaining (CBC) mode. For example, a key can look like this:
Crypt=1;KeyDesc=companyNameKey1;Key=06a9214036b8a15b512e03d53412006;
The device.set, device.sec.configEncryption.key, and
device.sec.configEncryption.key.set configuration file parameters are used to set the key on
the phone.
If the phone doesn't have a key, it must be downloaded to the phone in plain text (a potential security
concern if not using HTTPS). If the phone already has a key, a new key can be downloaded to the phone
encrypted using the old key.
Polycom recommends that you give each key a unique descriptive string in order to identify which key
was used to encrypt a file. This makes provisioning server management easier.
After encrypting a configuration file, it is useful to rename the file to avoid confusing it with the original
version, for example rename site.cfg to site.enc. However, the directory and override filenames cannot
be changed in this manner.
Troubleshooting: My Phone Keeps Displaying an Error Message for My Encrypted File
If a phone downloads an encrypted file that it cannot decrypt, the action is logged, and an error
message displays. The phone will continue to do this until the provisioning server provides an
encrypted file that can be read, an unencrypted file, or the file is removed from the master
configuration file list.
To check whether an encrypted file is the same as an unencrypted file:
1 Run the configFileEncrypt utility (available from
"-d" option. This shows the "digest" field.
2 Look at the encrypted file using text editor and check the first line that shows a "Digest=...." field. If
the two fields are the same, then the encrypted and unencrypted file are the same.
Polycom, Inc.
Quick Tip 67442: When Encrypting
Files.
Polycom Support) on the unencrypted file with the
1.1.0
219