04-15-2014, 04:43 PM
Configuration files contain sensitive information such as user accounts, login
passwords or registration information. To protect sensitive information from tampering, you must encrypt configuration files.
Yealink provides tools for encrypting configuration files on Windows platform and Linux platform respectively.
You can refer to Yealink Configuration Encryption Tool User Guide for more details.
The information applies to Yealink SIP - T28P, SIP - T26P, SIP - T22P, SIP - T20P, SIP - T21P, SIP - T19P, SIP - T46G, SIP - T42G and SIP - T41P IP phones running firmware version 71 or later.
1. Configuring Yealink IP Phones
To ensure no plaintext configurations and keys are transmitted across the network, you need to configure the following parameters using configuration files first.
(1). Add/Edit the following parameters in configuration files.
(2). Upload configuration files to the root directory of the provisioning server and trigger IP phones to perform an auto provisioning for configuration update.
For more information on auto provisioning, refer to Yealink IP Phones Auto Provisioning Guide.
Scenario Conditions:(For example)
If your IP phones are running firmware released after November 2013, parameters “auto_provision.aes_key_16.com” and “auto_provision.aes_key_16.mac” will not be needed in the above scenario.
2. Configuration Encryption Tool on Windows Platform or Linux Platform
(1) Windows Platform
This tool supports Microsoft Windows XP and Windows 7 (both 32-bit and 64-bit)vsystem.
To encrypt configuration files:
<1>. Double click “Config_Encrypt_Tool.exe” to start the application tool.
The screenshot of the main page is shown as below:
When you start the application tool, a file folder named “Encrypted” is created automatically in the directory where the application tool is located.
<2>. Click Browse to locate configuration file(s) (e.g. y000000000000.cfg) from your local system in the Select File(s) field. To select multiple configuration files, you can select the first file and then press and hold the Ctrl key and select the next files.
<3>. (Optional.) Click Browse to locate a target directory from your local system in the Target Directory field.
The tool uses the file folder “Encrypted” as the target directory by default.
<4>. (Optional.) Mark the desired radio box in the AES Model field.
If you mark the Manual radio box, you can enter an AES key in the AES KEY field or click Re-Generate to generate an AES key in the AES KEY field. The configuration file(s) will be encrypted using the AES key in the AES KEY field.
If you mark the Auto Generate radio box, the configuration file(s) will be encrypted using random AES key . The AES keys of configuration files are different.
AES keys must be 16 characters and the supported characters contain: 0 ~ 9, A ~ Z, a ~ z.
<5>. Click Encrypt to encrypt the configuration file(s).
<6>. Click OK.
The target directory will be automatically opened. You can find the encrypted CFG file(s), encrypted key file(s) and an Aeskey.txt file storing plaintext AES key(s).
(2) Linux Platform
To encrypt configuration files:
<1>. Place the encryption tool “yealinkencrypt” and configuration files in the same directory.
<2>. Open a terminal window.
<3>. Execute the cd command to locate the directory where the encryption tool is stored. For example, execute cd /tmp to locate the /tmp directory.
<4>. Execute one of the following commands according to your requirements:
- If you want to encrypt one or multiple specified configuration files, you need to execute the following command:
Example:
This tool will encrypt the y000000000000.cfg file using the AES key 0123456789123456. You can find the encrypted y000000000000.cfg file, y000000000000_Security.enc file and an Aeskey.txt file storing the plaintext AES key 0123456789123456 in the specified directory.
passwords or registration information. To protect sensitive information from tampering, you must encrypt configuration files.
Yealink provides tools for encrypting configuration files on Windows platform and Linux platform respectively.
You can refer to Yealink Configuration Encryption Tool User Guide for more details.
The information applies to Yealink SIP - T28P, SIP - T26P, SIP - T22P, SIP - T20P, SIP - T21P, SIP - T19P, SIP - T46G, SIP - T42G and SIP - T41P IP phones running firmware version 71 or later.
1. Configuring Yealink IP Phones
To ensure no plaintext configurations and keys are transmitted across the network, you need to configure the following parameters using configuration files first.
(1). Add/Edit the following parameters in configuration files.
(2). Upload configuration files to the root directory of the provisioning server and trigger IP phones to perform an auto provisioning for configuration update.
For more information on auto provisioning, refer to Yealink IP Phones Auto Provisioning Guide.
Scenario Conditions:(For example)
Code:
>> The administrator wants to encrypt configuration files to protect sensitive information in configuration files from tampering.
>> SIP - T28 IP phone MAC: 0015651137F6.
>> auto_provision.aes_key_in_file =1 (Enable the IP phone to download y000000000000_Security.enc and 0015651137F6_Security.enc files during auto provisioning)
>> auto_provision.update_file_mode =1 (Enable the IP phone to update encrypted configuration settings only during auto provisioning)
>> auto_provision.aes_key_16.com = 1234 (The parameter value can be set to an arbitrary value, but cannot be blank)
>> auto_provision.aes_key_16.mac = 1234 (The parameter value can be set to an arbitrary value, but cannot be blank)
2. Configuration Encryption Tool on Windows Platform or Linux Platform
(1) Windows Platform
This tool supports Microsoft Windows XP and Windows 7 (both 32-bit and 64-bit)vsystem.
To encrypt configuration files:
<1>. Double click “Config_Encrypt_Tool.exe” to start the application tool.
The screenshot of the main page is shown as below:
When you start the application tool, a file folder named “Encrypted” is created automatically in the directory where the application tool is located.
<2>. Click Browse to locate configuration file(s) (e.g. y000000000000.cfg) from your local system in the Select File(s) field. To select multiple configuration files, you can select the first file and then press and hold the Ctrl key and select the next files.
<3>. (Optional.) Click Browse to locate a target directory from your local system in the Target Directory field.
The tool uses the file folder “Encrypted” as the target directory by default.
<4>. (Optional.) Mark the desired radio box in the AES Model field.
If you mark the Manual radio box, you can enter an AES key in the AES KEY field or click Re-Generate to generate an AES key in the AES KEY field. The configuration file(s) will be encrypted using the AES key in the AES KEY field.
If you mark the Auto Generate radio box, the configuration file(s) will be encrypted using random AES key . The AES keys of configuration files are different.
AES keys must be 16 characters and the supported characters contain: 0 ~ 9, A ~ Z, a ~ z.
<5>. Click Encrypt to encrypt the configuration file(s).
<6>. Click OK.
The target directory will be automatically opened. You can find the encrypted CFG file(s), encrypted key file(s) and an Aeskey.txt file storing plaintext AES key(s).
(2) Linux Platform
To encrypt configuration files:
<1>. Place the encryption tool “yealinkencrypt” and configuration files in the same directory.
<2>. Open a terminal window.
<3>. Execute the cd command to locate the directory where the encryption tool is stored. For example, execute cd /tmp to locate the /tmp directory.
<4>. Execute one of the following commands according to your requirements:
- If you want to encrypt one or multiple specified configuration files, you need to execute the following command:
Code:
./yealinkencrypt -f file1.cfg [file2.cfg ...] [-p DESTPATH(Default as 'Encrypted')] [-k AESKEY(Default as random)]
Code:
[root@localhost tmp]#./yealinkencrypt -f y000000000000.cfg -p /home/test -k 0123456789123456
AES Key: 0123456789123456
Generate Security Key File...
Generate Encrypt Config File...
Write file to /home/test/Aeskey.txt!
Write file to /home/test/y000000000000_Security.enc!
Read file y000000000000.cfg!
Write file to /home/test/y000000000000.cfg!