Document toolboxDocument toolbox

Call Recording File Encryption/Decryption

Owned by ef.confluence
Last updated: Dec 02, 2024 by QA Team
2 min read

Overview

The Mixer Service in the Voice Recording Solution (VRS) application is designed to combine the separate audio streams of an agent and customer into a single WAV file. To enhance security, the mixed WAV file is encrypted before storage. This ensures that files downloaded directly from the server remain secure and unplayable without proper decryption.

A separate Decryption Service API is available to decrypt the files on request. This API provides the decrypted file and its associated metadata, enabling playback only through authorized access via the VRS front end.

Workflow

1. Recording Mixing

  • The Mixer Service processes recordings from the Agent and Customer streams.

  • The two streams are combined into a single WAV file.

2. File Encryption

  • Once the WAV file is generated, it is encrypted using a hardcoded key in the service code.

  • The encrypted file is stored securely on the server.

  • Files downloaded directly from the server remain encrypted and unplayable without decryption.

3. Decryption and Playback

  • A backend API handles requests to decrypt the file.

  • The API decrypts the file using the same hardcoded key and provides:

    • The decrypted WAV file.

    • File metadata (e.g., recording duration, agent/customer IDs, timestamp).

  • Encrypted files are only accessible via the VRS front end, ensuring controlled playback.

Environment Configuration

Key Hard-coding

  • Key Location: The encryption and decryption key is currently hard-coded in the service code.

    • Note: Hard-coding is a temporary solution. For production environments, a secure key management system (e.g., AWS Secrets Manager, Vault) should be implemented.

 

Testing Process

Prerequisites

  • Ensure the VRS application and Mixer Service are properly deployed.

  • Verify that the SIP trunk is configured for call recordings.

  • Confirm that the Decryption Service API is accessible and functional.

Test Steps

Step 1: Make a Call

  1. Use Cisco Finesse to initiate and receive a test call.

  2. Ensure the call is recorded via the SIP trunk.

Step 2: Download the File Directly

  1. Access the server where recordings are stored.

  2. Locate and download the encrypted WAV file associated with the test call in the directory. /usr/share/freeswitch/cucmRecording/sessions

  3. Attempt to play the downloaded file:

    • Expected Result: The file should not be playable, as it is encrypted.

Step 3: Playback via VRS Front End

  1. Log in to the VRS front end.

  2. Locate the test call recording in the application interface.

  3. Attempt to play the recording:

    • Expected Result: The file should be decrypted on-the-fly by the Decryption Service API and play correctly.

Step 4: Verify Metadata

  1. Check the metadata returned by the API.

Known Limitations

  1. Hardcoded Key:

    • Security risk: The encryption key is hardcoded in the service code.

    • Recommendation: Transition to a secure key management solution.

  2. Direct File Access:

    • Encrypted files can be downloaded directly but are unplayable.

    • Recommendation: Restrict direct access to sensitive storage directories.

  • Changes in Deployment:
    for the call encryption and decryption, there is no change in the overall deployment of the Mixer and API component. since the changes is in the code.

  • Technical Documentation
    Below is the technical Documentation for Encryption/Decryption

https://expertflow-docs.atlassian.net/wiki/spaces/CT/pages/381452292

Â