In this article, you will learn how to encrypt communication, so that no one will be able to eavesdrop on conversations between extensions on Asterisk.
We will not describe how to generate certificates as this has already been explained in previous articles:
- Asterisk security – using self-signed SSL Certificate for TLS registration
- How to generate Let’s Encrypt certificate in CentOS 7/8
Interestingly, even if your SIP communication is encrypted, unencrypted RTP traffic can still be intercepted. Secure connections are made possible by media encryption (SRTP)
Table of Contents
1) Prerequisites
SRTP support is provided by libsrtp. libsrtp must be installed on your computer before compiling Asterisk, otherwise you will see the following error:
ERROR[10167]: chan_sip.c:27987 setup_srtp: No SRTP module loaded, can't setup SRTP session.
If necessary, recompile Asterisk with libsrtp selected.
2) SRTP media encryption
2.1) SIP channels
To enable encryption for SIP extensions, add encryption=yes to individual extensions or globally in the [general] section.
encryption=yes
2.2) PJSIP channels
To enable encryption for PJSIP extensions, add media_encryption to the individual extensions.
This variable can have one of the following values:
- no – res_pjsip will offer no encryption and allow no encryption to be setup (default option)
- sdes – res_pjsip will offer standard SRTP setup via in-SDP keys (encrypted SIP transport should be used in conjunction with this option to prevent exposure of media encryption keys)
- dtls – res_pjsip will offer DTLS-SRTP setup
Additionally, you can use the media_encryption_optimistic variable to not enforce encryption, but to treat it as an option for phones that support it.
media_encryption=sdes
media_encryption_optimistic=yes
As a result, not only SIP communication will be encrypted but also RTP media.
Do you really know what is happening on your PBX? Let’s try our proprietary VOIPERO software.
The system arleady has launched and now is completely FREE. Setup takes only a few minutes.
Get to know what VOIPERO system is able to do in terms of reporting & live monitoring of VoIP systems created on Asterisk.
