In this article, you will learn how to encrypt communication, so that no one will be able to eavesdrop on conversations between extensions on Asterisk.
We will not describe how to generate certificates as this has already been explained in previous articles:
- Asterisk security – using self-signed SSL Certificate for TLS registration
- How to generate Let’s Encrypt certificate in CentOS 7/8
Interestingly, even if your SIP communication is encrypted, unencrypted RTP traffic can still be intercepted. Secure connections are made possible by media encryption (SRTP)
Table of Contents
SRTP support is provided by
libsrtp must be installed on your computer before compiling Asterisk, otherwise you will see the following error:
ERROR: chan_sip.c:27987 setup_srtp: No SRTP module loaded, can't setup SRTP session.
If necessary, recompile Asterisk with
2) SRTP media encryption
2.1) SIP channels
To enable encryption for SIP extensions, add
encryption=yes to individual extensions or globally in the
2.2) PJSIP channels
To enable encryption for PJSIP extensions, add
media_encryption to the individual extensions.
This variable can have one of the following values:
- no – res_pjsip will offer no encryption and allow no encryption to be setup (default option)
- sdes – res_pjsip will offer standard SRTP setup via in-SDP keys (encrypted SIP transport should be used in conjunction with this option to prevent exposure of media encryption keys)
- dtls – res_pjsip will offer DTLS-SRTP setup
Additionally, you can use the
media_encryption_optimistic variable to not enforce encryption, but to treat it as an option for phones that support it.
As a result, not only SIP communication will be encrypted but also RTP media.