Yealink Forums

Full Version: [FAQ]How to Encrypt Configuration file and deploy them?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Configuration files contain sensitive information such as user accounts, login
passwords or registration information. To protect sensitive information from tampering, you must encrypt configuration files.

Yealink provides tools for encrypting configuration files on Windows platform and Linux platform respectively.
You can refer to Yealink Configuration Encryption Tool User Guide for more details.

The information applies to Yealink SIP - T28P, SIP - T26P, SIP - T22P, SIP - T20P, SIP - T21P, SIP - T19P, SIP - T46G, SIP - T42G and SIP - T41P IP phones running firmware version 71 or later.

1. Configuring Yealink IP Phones

To ensure no plaintext configurations and keys are transmitted across the network, you need to configure the following parameters using configuration files first.

(1). Add/Edit the following parameters in configuration files.
[Image: attachment.php?aid=715]

(2). Upload configuration files to the root directory of the provisioning server and trigger IP phones to perform an auto provisioning for configuration update.
For more information on auto provisioning, refer to Yealink IP Phones Auto Provisioning Guide.

Scenario Conditions:(For example)
Code:
>> The administrator wants to encrypt configuration files to protect sensitive information in configuration files from tampering.
>> SIP - T28 IP phone MAC: 0015651137F6.
>> auto_provision.aes_key_in_file =1 (Enable the IP phone to download y000000000000_Security.enc and 0015651137F6_Security.enc files during auto provisioning)
>> auto_provision.update_file_mode =1 (Enable the IP phone to update encrypted configuration settings only during auto provisioning)
>> auto_provision.aes_key_16.com = 1234 (The parameter value can be set to an arbitrary value, but cannot be blank)
>> auto_provision.aes_key_16.mac = 1234 (The parameter value can be set to an arbitrary value, but cannot be blank)
If your IP phones are running firmware released after November 2013, parameters “auto_provision.aes_key_16.com” and “auto_provision.aes_key_16.mac” will not be needed in the above scenario.

2. Configuration Encryption Tool on Windows Platform or Linux Platform

(1) Windows Platform
This tool supports Microsoft Windows XP and Windows 7 (both 32-bit and 64-bit)vsystem.

To encrypt configuration files:
<1>. Double click “Config_Encrypt_Tool.exe” to start the application tool.
The screenshot of the main page is shown as below:
[Image: attachment.php?aid=716]

When you start the application tool, a file folder named “Encrypted” is created automatically in the directory where the application tool is located.
<2>. Click Browse to locate configuration file(s) (e.g. y000000000000.cfg) from your local system in the Select File(s) field. To select multiple configuration files, you can select the first file and then press and hold the Ctrl key and select the next files.
<3>. (Optional.) Click Browse to locate a target directory from your local system in the Target Directory field.
The tool uses the file folder “Encrypted” as the target directory by default.
<4>. (Optional.) Mark the desired radio box in the AES Model field.
If you mark the Manual radio box, you can enter an AES key in the AES KEY field or click Re-Generate to generate an AES key in the AES KEY field. The configuration file(s) will be encrypted using the AES key in the AES KEY field.
If you mark the Auto Generate radio box, the configuration file(s) will be encrypted using random AES key . The AES keys of configuration files are different.
AES keys must be 16 characters and the supported characters contain: 0 ~ 9, A ~ Z, a ~ z.
<5>. Click Encrypt to encrypt the configuration file(s).
[Image: attachment.php?aid=717]
<6>. Click OK.
The target directory will be automatically opened. You can find the encrypted CFG file(s), encrypted key file(s) and an Aeskey.txt file storing plaintext AES key(s).
[Image: attachment.php?aid=718]

(2) Linux Platform

To encrypt configuration files:
<1>. Place the encryption tool “yealinkencrypt” and configuration files in the same directory.
<2>. Open a terminal window.
<3>. Execute the cd command to locate the directory where the encryption tool is stored. For example, execute cd /tmp to locate the /tmp directory.
<4>. Execute one of the following commands according to your requirements:

- If you want to encrypt one or multiple specified configuration files, you need to execute the following command:
Code:
./yealinkencrypt -f file1.cfg [file2.cfg ...] [-p DESTPATH(Default as 'Encrypted')] [-k AESKEY(Default as random)]
Example:
Code:
[root@localhost tmp]#./yealinkencrypt -f y000000000000.cfg -p /home/test -k 0123456789123456
AES Key: 0123456789123456
Generate Security Key File...
Generate Encrypt Config File...
Write file to /home/test/Aeskey.txt!
Write file to /home/test/y000000000000_Security.enc!
Read file y000000000000.cfg!
Write file to /home/test/y000000000000.cfg!
This tool will encrypt the y000000000000.cfg file using the AES key 0123456789123456. You can find the encrypted y000000000000.cfg file, y000000000000_Security.enc file and an Aeskey.txt file storing the plaintext AES key 0123456789123456 in the specified directory.
[Image: attachment.php?aid=719]
- If you want to encrypt configuration files in batch using a random AES key , you need to execute the following command:
Code:
./yealinkencrypt –f *.cfg [-p DESTPATH(Default as 'Encrypted')] -m
Example:
Code:
[root@localhost tmp]#./yealinkencrypt  -f *.cfg  -p /home/test  -m
Generate AES Key...
Write file to /home/test/Aeskey.txt!
Write file to /home/test/0015652ac1cc_Security.enc!
Read file 0015652ac1cc.cfg!
Write file to /home/test/0015652ac1cc.cfg!
Write file to /home/test/Aeskey.txt!
Write file to /home/test/y000000000000_Security.enc!
Read file y000000000000.cfg!
Write file to /home/test/y000000000000.cfg!
This tool will encrypt all CFG files using random AES keys (each CFG file corresponds to a random AES key). You can find the encrypted CFG files, encrypted key files and an Aeskey.txt file storing the plaintext AES keys in the specified directory.
[Image: attachment.php?aid=720]

- If you want to encrypt configuration files in batch using a specified AES key, you need to execute the following command:
Code:
./yealinkencrypt –f *.cfg [-p DESTPATH(Default as 'Encrypted')] -k 0123456789123456
Example:
Code:
[root@localhost tmp]#./yealinkencrypt  -f *.cfg  -p /home/test  -k 0123456789123456
AES Key: 0123456789123456
Generate Security Key File...
Generate Encrypt Config File...
Write file to /home/test/Aeskey.txt!
Write file to /home/test/0015652ac1cc_Security.enc!
Read file 0015652ac1cc.cfg!
Write file to /home/test/0015652ac1cc.cfg!
Write file to /home/test/Aeskey.txt!
Write file to /home/test/y000000000000_Security.enc!
Read file y000000000000.cfg!
Write file to /home/test/y000000000000.cfg!
This tool will encrypt all CFG files using a specified AES key . You can find the encrypted CFG files, encrypted key files and an Aeskey.txt file storing the plaintext AES key in the specified directory.
[Image: attachment.php?aid=721]

AES keys must be 16 characters and the supported characters contain: 0 ~ 9, A ~ Z, a ~ z.

3. Deploying Yealink IP phones using encrypted configuration files and AES keys

Scenario Operations:
(1). The administrator encrypts y000000000000.cfg and 0015651137F6.cfg files and then uploads y000000000000_Security.enc, 0015651137F6_Security.enc, y000000000000.cfg (encrypted) and 0015651137F6.cfg (encrypted) files to the root directory of the provisioning server.
(2). Reboot the IP phone to trigger auto provisioning process. For more information, refer to Yealink IP Phones Auto Provisioning Guide.

During auto provisioning, the IP phone requests to download y000000000000.cfg file first. Because the downloaded configuration file is encrypted, the IP phone requests to download y000000000000_Security.enc file and then decrypts it into the plaintext key (e.g., key2) using the built-in key (e.g., key1). The IP phone then decrypts the configuration file using the key2. After decryption, the IP phone resolves configuration files and updates configuration settings onto the IP phone system. If the downloaded configuration file is not encrypted, the IP phone will not request to download y000000000000_Security.enc file and update configuration settings in the configuration file onto the IP phone system.
The way the IP phones process the <MAC>.cfg file is the same as the
<y000000000000>.cfg file.

You can refer to more detaisl in auto provisioning flowchart as below:
The following shows auto provisioning flowchart for Yealink IP phones. The way the IP phone processes the MAC-Oriented CFG file is the same to that of the Common CFG file.

[Image: attachment.php?aid=722]

Please be aware:

The purpose of these forums is to allow forum members collaborate and help each other.
Questions posted here won't be appreciated.
If you require assistance from Yealink technical support, please email to support@yealink.com or USA support support.usa@yealink.com
Reference URL's