VoIP Security Guide

VoIP Voice Encryption:
TLS & SRTP

10 min read · Updated April 2026

Unencrypted VoIP is a liability. Carriers are already mandating SRTP on trunk connections, regulators are tightening requirements for healthcare and finance, and the trajectory is clear — all VoIP traffic will eventually be encrypted end-to-end. Here's everything you need to implement it correctly.

In this guide

01Why encryption is becoming mandatory 02Two separate layers: signaling and media 03TLS for SIP signaling 04SRTP for media — SDES vs DTLS 05DTLS-SRTP in depth 06Common encryption failure modes 07Diagnosing from a SIP trace 08Implementation checklist 09Analyze your encryption configuration

1. Why encryption is becoming mandatory

For most of its history, VoIP ran unencrypted. SIP signaling over UDP in plaintext, RTP media in plaintext — anyone on the network path could intercept call content, harvest credentials from REGISTER messages, or inject forged SIP packets. The industry accepted this risk because encryption added complexity and the threat model seemed theoretical.

That calculus has changed. Several forces are converging:

Carrier mandates — Major US carriers and interconnect providers are beginning to require SRTP on SIP trunk connections. This is accelerating as STIR/SHAKEN implementation expands and carriers invest in network security infrastructure.
Regulatory pressure — HIPAA requires encryption of PHI in transit, which includes voice calls involving patient information. PCI-DSS scope increasingly covers VoIP infrastructure handling cardholder data. GDPR in Europe applies to voice communications containing personal data.
WebRTC normalization — WebRTC has made DTLS-SRTP the default for browser-based calls. As WebRTC-to-SIP interworking becomes standard, the expectation of encryption is spreading to traditional SIP infrastructure.
Zero-trust architecture — Organizations moving to zero-trust network models can't selectively exempt VoIP. If your network assumes breach, voice traffic needs to be encrypted like everything else.

The question for most VoIP engineers is no longer whether to implement encryption but how — and how to do it without breaking existing infrastructure.

2. Two separate layers: signaling and media

VoIP encryption requires securing two completely independent channels. Confusing them is the most common source of misconfiguration:

TLS / SIPS Encrypts SIP signaling — INVITE, REGISTER, BYE, auth credentials, call metadata

SRTP Encrypts RTP media — the actual audio (and video) of the call

Neither Unencrypted SIP over UDP/TCP — signaling and audio both in plaintext

TLS without SRTP means your credentials and call setup are protected but the actual voice conversation is unencrypted. Anyone who can tap the RTP stream can listen to the call.

SRTP without TLS means the audio is encrypted but the key exchange (which happens in the SDP) is unprotected. An attacker who intercepts the SIP signaling gets the SRTP keys and can decrypt the audio anyway.

Both layers must be implemented together for meaningful call security.

3. TLS for SIP signaling

SIP over TLS (SIPS) uses TCP port 5061 instead of the standard UDP/TCP port 5060. The TLS handshake occurs before any SIP messages are exchanged, establishing an encrypted channel for all subsequent signaling.

Certificate requirements

Each SIP server needs a valid TLS certificate with the server's hostname in the Subject Alternative Name (SAN). For internal infrastructure, you can use your own CA. For external trunk connections with carriers, use a publicly trusted CA (Let's Encrypt, DigiCert, etc.) — carriers will typically reject self-signed certificates.

TLS version requirements

Require TLS 1.2 minimum. TLS 1.3 is preferred. SSLv3, TLS 1.0, and TLS 1.1 are deprecated and should be explicitly disabled. Many carriers and enterprise SBCs now reject connections on deprecated TLS versions.

; Asterisk pjsip.conf — TLS transport configuration
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/server.crt
priv_key_file=/etc/asterisk/keys/server.key
ca_list_file=/etc/asterisk/keys/ca.crt
method=tlsv1_2          ; minimum TLS 1.2
verify_server=yes       ; validate peer certificates
verify_client=no        ; don't require client certs (typical for endpoints)

The SIPS URI scheme

A SIPS URI (sips:alice@example.com vs sip:alice@example.com) signals that TLS must be used for the entire path. If any hop in the path can't support TLS, the request fails rather than falling back to plaintext. Use SIPS URIs when you want to enforce end-to-end signaling security.

SRV records for TLS

Configure DNS SRV records for TLS transport so endpoints can discover the TLS endpoint automatically:

_sips._tcp.example.com. 300 IN SRV 10 1 5061 sip.example.com.

4. SRTP for media — SDES vs DTLS

SRTP encrypts the RTP media stream using AES. The key question is how the encryption keys are exchanged — and there are two main approaches:

SDES (SDP Security Descriptions)

SDES exchanges SRTP keys inline in the SDP body using a=crypto: lines. It's simple, widely supported, and works with any SIP transport.

m=audio 49172 RTP/SAVP 0
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:WVNfX19zZW1jdGwgKCkgewkyMjA7fQp9CnVubGVz

Critical limitation: SDES keys are in the SDP, which means if your SIP signaling isn't encrypted (TLS), your SRTP keys are in plaintext. SDES only provides real security when combined with TLS. Without TLS, SDES-encrypted media is trivially decryptable by anyone who can see the SIP signaling.

DTLS-SRTP (DTLS for key exchange)

DTLS-SRTP uses a separate DTLS handshake on the media channel itself to exchange keys, independent of the SIP signaling. This is the method used by WebRTC and is defined in RFC 5764.

m=audio 54321 UDP/TLS/RTP/SAVPF 111
a=fingerprint:sha-256 D2:FA:0E:C3:22:59...
a=setup:actpass
a=ice-ufrag:F7gI
a=ice-pwd:x9cml/YoukHPsfut84tuU73

Advantage: Because keys are exchanged on the media channel via DTLS, SRTP security doesn't depend on the SIP signaling being encrypted. Even if the SDP is intercepted, the keys aren't in it — they're negotiated separately.

Disadvantage: DTLS-SRTP requires ICE, which means it's incompatible with many traditional SIP endpoints and requires an SBC or media gateway to bridge WebRTC to legacy SIP.

Which to use?

For traditional SIP infrastructure: use SDES + TLS. For WebRTC or modern unified communications: use DTLS-SRTP. For mixed environments: your SBC handles the translation between the two at the boundary.

5. DTLS-SRTP in depth

DTLS-SRTP is increasingly important as WebRTC usage grows and as enterprises adopt UCaaS platforms. Understanding it is essential for engineers managing hybrid SIP/WebRTC environments.

The a=setup attribute

The a=setup: attribute in the SDP controls which endpoint acts as the DTLS client (active) and which acts as the server (passive):

a=setup:active — this endpoint initiates the DTLS handshake
a=setup:passive — this endpoint waits for the DTLS handshake
a=setup:actpass — this endpoint can do either (offer phase)
a=setup:holdconn — hold, no DTLS connection

A common failure: both endpoints set a=setup:active or both set a=setup:passive. The DTLS handshake never completes and there's no audio. If you see a=setup:active on both sides of an SDP exchange, that's your problem.

The fingerprint attribute

The a=fingerprint: line contains a hash of the DTLS certificate that will be used for key exchange. Both sides compare the fingerprint they receive in the SDP against the actual certificate presented during the DTLS handshake. A mismatch causes the DTLS handshake to fail with a certificate verification error.

Why DTLS needs ICE

DTLS-SRTP depends on ICE to establish the media path before DTLS can run. ICE selects the best candidate pair (direct, STUN-reflexive, or TURN relay) and DTLS runs on top of the established ICE connection. If ICE fails, DTLS never starts and there's no audio — not even unencrypted audio.

6. Common encryption failure modes

Failure 01

Certificate validation failure

The TLS handshake fails because the peer certificate is untrusted (self-signed, expired, wrong hostname in SAN, or from an untrusted CA). Often causes a silent failure — the TCP connection is established but the TLS handshake never completes, and the call drops with a 503 or timeout. Check server logs for SSL handshake errors.

Failure 02

Mixed encrypted/unencrypted legs

One leg of a call uses SRTP (RTP/SAVP) and the other uses plain RTP (RTP/AVP). The SBC or B2BUA in the middle must transcode the encryption — if it doesn't, the media path is either silent or produces a 488. This is the most common failure when migrating a mixed environment to encryption.

Failure 03

Cipher suite mismatch

The SDP crypto line specifies a cipher suite (AES_CM_128_HMAC_SHA1_80 is most common) that the remote endpoint doesn't support. Modern endpoints should support AES_CM_128_HMAC_SHA1_80 and AES_CM_128_HMAC_SHA1_32. Offer both in your crypto lines. AES_256_CM_HMAC_SHA1_80 is less universally supported.

Failure 04

DTLS a=setup conflict

Both endpoints set a=setup:active (or both passive), so neither initiates (or both try to initiate) the DTLS handshake. DTLS never completes, ICE succeeds but there's no audio. Check the SDP answer — it should flip actpass to either active or passive.

Failure 05

SRTP key reuse after re-INVITE

A re-INVITE for hold/resume or codec change must generate new SRTP crypto keys. If the SDP in the re-INVITE reuses the same a=crypto: line with the same key from the initial INVITE, some implementations reject it or experience audio gaps after the re-INVITE.

Failure 06

TLS SNI mismatch

When connecting to an SBC or carrier that hosts multiple domains, TLS Server Name Indication (SNI) must include the correct hostname. If your SIP stack doesn't send SNI in the TLS ClientHello, the server may present the wrong certificate or refuse the connection entirely.

7. Diagnosing from a SIP trace

Check the transport indicator in Via headers

Via headers show which transport was used: SIP/2.0/UDP, SIP/2.0/TCP, or SIP/2.0/TLS. If you're expecting TLS and see UDP or TCP, the call isn't using encrypted signaling.

Check the m= line transport protocol

In the SDP, the m= line transport tells you what's negotiated for media:

m=audio 49172 RTP/AVP 0 — unencrypted RTP
m=audio 49172 RTP/SAVP 0 — SRTP with SDES key exchange
m=audio 49172 UDP/TLS/RTP/SAVPF 111 — DTLS-SRTP (WebRTC style)

Verify crypto lines are present and matching

For SDES, check that the INVITE SDP and 200 OK SDP both contain a=crypto: lines and that the cipher suite in the answer is one of the ones offered. A 200 OK without any crypto line when the INVITE had crypto lines means the remote end rejected SRTP and the call will proceed unencrypted (or fail if SRTP is required).

Check for a=fingerprint in DTLS deployments

Both sides of a DTLS-SRTP exchange must have a=fingerprint: lines. Verify the hash algorithm matches (sha-256 is standard). A fingerprint mismatch between what's in the SDP and what's presented in the DTLS handshake will cause a certificate verification failure.

Look for encryption indicators in call flow

; Good — SRTP negotiated
INVITE contains: m=audio 49172 RTP/SAVP 0
                 a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:...
200 OK contains: m=audio 63241 RTP/SAVP 0
                 a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:...

; Bad — SRTP offer rejected, fallback to RTP
INVITE contains: m=audio 49172 RTP/SAVP 0
                 a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:...
200 OK contains: m=audio 63241 RTP/AVP 0
                 (no crypto line)

8. Implementation checklist

Signaling (TLS)

Install valid TLS certificate with correct hostname in SAN on all SIP servers and SBCs
Enable TLS 1.2 minimum, disable SSLv3/TLS 1.0/TLS 1.1
Configure listening on port 5061 for TLS
Add _sips._tcp DNS SRV records
Set certificate renewal reminders — expired certs cause silent call failures
Test with openssl s_client -connect sip.example.com:5061 before deploying

Media (SRTP with SDES)

Enable SRTP on your PBX, SBC, and all endpoints
Offer both AES_CM_128_HMAC_SHA1_80 and AES_CM_128_HMAC_SHA1_32 in crypto lines
Set SRTP policy to "required" once all endpoints are migrated — don't leave it as "optional" long-term
Ensure re-INVITEs generate new crypto keys
Configure your SBC to handle SRTP↔RTP transcoding at trust boundaries

For WebRTC/DTLS-SRTP environments

Ensure SBC supports DTLS-SRTP termination and SDES translation
Verify a=setup negotiation — offer should be actpass, answer should be active or passive
Confirm fingerprint attributes are generated fresh per call
Test ICE connectivity before assuming DTLS will work

Carrier trunk connections

Confirm carrier's SRTP requirements and supported cipher suites before configuring
Use publicly trusted TLS certificates for external trunk connections
Enable SDES or DTLS as required by the carrier — not all carriers support both
Test with a carrier-provided SIP test number before cutover

9. Analyze your encryption configuration

Paste your SIP trace into SIPSymposium. The analyzer checks TLS transport indicators in Via headers, validates SRTP crypto line negotiation, detects mixed encrypted/unencrypted legs, identifies DTLS setup conflicts, and flags calls where encryption was offered but not honored.

The Teams tier includes a compliance report that maps your encryption findings directly to SOC 2, PCI-DSS, and HIPAA controls — useful if you need to demonstrate encryption compliance to auditors.

Not sure if your calls are actually encrypted?

Paste your SIP trace into SIPSymposium. The analyzer identifies exactly what encryption is — and isn't — in use on your calls, and tells you what to fix to get to full TLS + SRTP coverage.

Analyze my trace Create free account

Related guides

VoIP Voice Encryption:TLS & SRTP