====== Secure Configuration File ======

===== Signed Configuration File =====
  * Signed by TFTP server
  * Prevents tampering with configuration files on TFTP server or in transit.
{{cucm-sconf1.png|}}

===== Encrypted Configuration File =====
  * Supported on: 
    * 7905, 7912 SIP Phones
    * 797[015], 796[125], 794[125], 7931, 7911, and 7906 SCCP phones
  * If the phones has a certificate
    * CUCM uses the public key of the phones to encrypt the configuration file
  * If the phone does not have a certificate, the encryption key must be manually entered into the phone
    * 7905 and 7912 do not support CUCM PKI
    * 7940 and 7960 do not support CUCM PKI when running SIP
    * 7905 and 7912 have a writable web server
      * Copy and paste the key into the phone using web access to the phone
    * 7941 and 7960 have a readonly web server
      * Manually enter the key into the phone using the phone keypad

===== Encrypted ConfFile Configuration =====

==== Secure Mode ====
  * Verify that the cluster security mode is set to Secure.
  * Follow steps in [[cucm-pki|Public Key Infrastructure (PKI)]]

==== Phone Security Profile ====
  * Under **System > Phone Security Profile**
  * Create phone security profile
{{cucm-sconf2.png|}}
  * Check the **TFTP Encrypted Config** check box

==== Phone config ====
  * Apply the phone security profile to the phone(s).
  * For phone that do not have certificates, set a symmetric file encryption key in the Phone configuration window
{{cucm-sconf3.png|}}

==== Phone ====
  * Enter the symmetric configuration file encryption key into phones that do not have certificates
  * The key must match that configured on CUCM