Secure connection with media encryption (SRTP)

For privacy reasons YouTube needs your permission to be loaded.
I Accept

In this article, you will learn how to encrypt communication, so that no one will be able to eavesdrop on conversations between extensions on Asterisk.

We will not describe how to generate certificates as this has already been explained in previous articles:

Interestingly, even if your SIP communication is encrypted, unencrypted RTP traffic can still be intercepted.

1) Prerequisites

SRTP support is provided by libsrtp. libsrtp must be installed on your computer before compiling Asterisk, otherwise you will see the following error:

ERROR[10167]: chan_sip.c:27987 setup_srtp: No SRTP module loaded, can't setup SRTP session.

If necessary, recompile Asterisk with libsrtp selected.

2) SRTP media encryption

2.1) SIP channels

To enable encryption for SIP extensions, add encryption=yes to individual extensions or globally in the [general] section.

Copy to Clipboard

2.2) PJSIP channels

To enable encryption for PJSIP extensions, add media_encryption to the individual extensions.

This variable can have one of the following values:

  • no – res_pjsip will offer no encryption and allow no encryption to be setup (default option)
  • sdes – res_pjsip will offer standard SRTP setup via in-SDP keys (encrypted SIP transport should be used in conjunction with this option to prevent exposure of media encryption keys)
  • dtls – res_pjsip will offer DTLS-SRTP setup

Additionally, you can use the media_encryption_optimistic variable to not enforce encryption, but to treat it as an option for phones that support it.

Copy to Clipboard

As a result, not only SIP communication will be encrypted but also RTP media.

By Published On: August 6th, 2021Categories: TutorialsComments Off on Secure connection with media encryption (SRTP)Tags: , , , , ,