TFTP Encrypted Configuration Files Overview
![]() Warning |
If you have enabled the digest authentication option for SIP phones and disabled the TFTP encrypted configuration option, the digest credentials are sent in the cleartext. |
After TFTP configuration, the TFTP server:
-
Deletes all the cleartext configuration files on disk
-
Generates encrypted versions of the configuration files
If the phone supports encrypted phone configuration files and you have performed the tasks for phone configuration file encryption, the phone requests an encrypted version of the configuration file.
Some phones don't support encrypted phone configuration files. The phone model and protocol determine the method that the system uses to encrypt the configuration file. Supported methods rely on Unified Communications Manager functionality and a firmware load that supports encrypted configuration files. If you downgrade the phone firmware load to a version that doesn't support encrypted configuration files, the TFTP server offers an unencrypted configuration file that provides minimal configuration settings, and the phone may not perform as expected.
Encryption Key DistributionTo ensure that you maintain the privacy of the key information, we recommend that you perform the tasks that are associated with encrypted phone configuration files in a secure environment.
Unified Communications Manager supports the following methods:
-
Manual key distribution
-
Symmetric key encryption with a phone public key
The setup information provided for manual key distribution and symmetric key encryption with a phone public key assume that you have configured mixed mode and enabled the TFTP Encrypted Config option in Cisco Unified CM Administration.
TFTP Encrypted Configuration Files Tips
We recommend that you enable the TFTP Encrypted Configuration file to secure confidential data in phone downloads. For phones that don't have PKI capabilities, you must also configure a symmetric key in Unified Communications Manager Administration and in the phone. If the symmetric key is missing from either the phone or Unified Communications Manager or if a mismatch occurs when the TFTP Encrypted Configuration file is set, the phone can't register.
Consider the following information when you configure encrypted configuration files in Unified Communications Manager:
-
Only phones that support encrypted configuration files display the TFTP Encrypted Config check box in the Phone Security Profile Configuration page. You can't configure encrypted configuration files for Cisco Unified IP Phones 7800, 7942, and 7962 (SCCP only) because these phones don't receive confidential data in the configuration file download.
-
By default, the TFTP Encrypted Config check box is unchecked. If you apply this default setting, the non secure profile to the phone, the digest credentials, and secured passwords are sent in the cleartext.
-
For Cisco Unified IP Phones that use Public Key Encryption, Unified Communications Manager does not require you to set the Device Security Mode to Authenticated or Encrypted to enable encrypted configuration files. Unified Communications Manager uses the CAPF process for downloading its Public key during registration.
-
You may choose to download the unencrypted configuration files to the phones if you know that your environment is secure or to avoid manually configuring symmetric keys for phones that are not PKI-enabled. However, we don't recommend that you use this method.
-
For Cisco Unified IP Phones 7800, 7942, and 7962 (SIP only), Unified Communications Manager provides a method of sending digest credentials to the phone that is easier, but less secure, than using an encrypted configuration file. This method, which uses the Exclude Digest Credential in Configuration File setting, is useful for initializing digest credentials because it doesn't require you to first configure a symmetric key and enter it on the phone. With this method, you send the digest credentials to the phone in an unencrypted configuration file. After the credentials are in the phone, we recommend that you disable the TFTP Encrypted Config option and then enable the Exclude Digest Credential in Configuration File on the Phone Security Profile Configuration page. This will exclude digest credentials from future downloads.
-
After digest credentials exist in these phones and an incoming file doesn't contain digest credentials, the existing credentials remain in place. The digest credentials remain intact until the phone is factory reset or new credentials (including blanks) are received. If you change digest credentials for a phone or end user, temporarily disable the Exclude Digest Credential in Configuration File on the corresponding Phone Security Profile Information page to download the new digest credentials to the phone.