Encrypted Files on the IP Phone
7-2 41-001160-00, Release 2.1, Rev 04
IP Phone Administrator Guide
Encryption and the IP Phone
Encrypted Files on the IP Phone
An encryption feature for the IP phone allows Service Providers the capability of
storing encrypted files on their server to protect against unauthorized access and
tampering of sensitive information (i.e., user accounts, login passwords,
registration information). Service Providers also have the capability of locking a
phone to use a specific server-provided configuration only.
Configuration File Encryption Method
Only a System Administrator can encrypt/decrypt the configurations files for an
IP Phone.
System Administrators use a password distribution scheme to manually
pre-configure or automatically configure the phones to use the encrypted
configuration with a unique key.
From a Microsoft Windows command line, the System Administrator uses an
Aastra-supplied encryption tool called "anacrypt.exe".
This tool processes the plain text <mac>.cfg and aastra.cfg files and creates
triple-DES encrypted versions called <mac>.tuz and aastra.tuz. Encryption is
performed using a secret password that is chosen by the administrator.
The encryption tool is also used to create an additional encrypted tag file called
security.tuz, which controls the decryption process on the IP phones. If
security.tuz is present on the TFTP/FTP/HTTP server, the IP phones download it
and use it locally to decrypt the configuration information from the aastra.tuz and
<mac>.tuz files. Because only the encrypted versions of the configuration files
need to be stored on the server, no plain-text configuration or passwords are sent
across the network, thereby ensuring security of the configuration data.
Note: Aastra also supplies encryption tools to support Linux platforms
(anacrypt.linux) and Solaris platforms (anacrypt.sunos) if required.