Bosch Building Technologies

    cancel
    Showing results for 
    Search instead for 
    Did you mean: 

    How to configure Bosch IP cameras for recorded video to be encrypted?

    Encrypting Edge Storage and Bosch IP Cameras

     

    Overview:


    All Bosch IP cameras that are equipped with a Micro SD can record at the edge. While video recorded via Bosch’s proprietary iSCSI format is none readable, many sites require any type of recorded video to be encrypted.

    Bosch video devices configured with firmware 7.70 and higher, provide AES-XTS block-based encryption. This encryption function is leveraged utilizing the device’s private AES encryption key. In devices up to CPP 7.3, this key is housed in the device’s Crypto Coprocessor. In newer CPP13 and 14 devices, the key is housed in the device’s Secure Element.

    Central_Support_0-1666270739922.png

     

     

    Since the media, or blocks, are encrypted with a private key, the camera is the only mechanism that can access encrypted data. This means all playbacks of the recoded video on the Camera’s Micro SD card must be accessed via the camera.

    Note: Older devices provided “whole disk” encryption utilizing the same key process.

     

    Prior to Starting:


    This document will focus on the “Block-based” encryption utilizing the following:

    o FLEXIDOME IP Starlight 8000i (CPP7.3) configured with firmware 7.85.0016 120 GB Class 10 MSD Card

    • Bosch Configuration Manager 7.60
    • Playback Testing: Bosch Video Security Client 3.3.3.44 (Local and Remote connections)
    • Remote Playback Testing: Bosch Remote Portal and Video Security Client

    This guide is intended for Bosch Certified Video technicians, or technicians who are familiar with Bosch Cameras, and Bosch Configuration Manager

    Note: On CPP13 devices up to 7.3, it is recommended to utilize firmware 7.85.0016 or higher.

     

    Step-by-step guide

     

    Crypto Coprocessor and Certificates:


    Initial certificate selection for edge encryption can vary based on the CPP of the camera, and the Crypto Coprocessor (CCP) or Secure Element the device is equipped with. Most newer devices manufactured with CCP version 6 or higher contain a “LunEncryptionKey” that will be displayed in Configuration Manager as “Internal Use Only” by default.

    Central_Support_1-1666270915446.pngCentral_Support_2-1666270939157.png

     

    Older Devices with a CCP3 will not be equipped with the LunEncryptionKey Certificate-Key pair. This means you will need to generate a self-signed certificate (1024 or 2048)

    Central_Support_3-1666270970612.png

     

    To configure a CCP 6 and higher device, utilizing the “Service and Certificates” submenu in Configuration Manager, simply select the “InternalUseOnly” certificate in the devices certificate store. In the “Usage” drop down menu select “Prim Record Encryption”. Save your work!

    Central_Support_4-1666271013042.png

     

    To configure a CCP 3 device, select the “Generate self-signed certificate” option
    • Select RSA 2048bit
    • Select “Create”


    Once the certificate has been created, select the “Prim Record Encryption” option as shown above. Save your work!

    Central_Support_5-1666271046823.png

     

    Camera Recording Settings and SD Card:


    To configure a camera to utilize a new MSD card for recording, use the “Recording and Recording Management” submenu in Configuration Manager.

    • In the “Preferred storage target type” dropdown menu, select the “SD card” option

    Central_Support_6-1666271072829.png

     

    New SD cards require formatting in order to configure them for iSCSI recording
    • Select the “Format” icon (gear) to start the formatting process

    Central_Support_7-1666271098663.png

     

    After the formatting process is complete, select the “Start” arrow to begin the recording process
    • Once the recording process has started, highlighting the red status indicator will display that the recording is encrypted via “padlock icon” next to “Recording 1”

    Central_Support_8-1666271125307.png

     

    The camera’s “Recording Status” web page will also indicate that the recording is encrypted via a “padlock” icon

    Central_Support_9-1666271154546.png

     

    Edge Encryption Playback: Video Security Client


    VSC can be utilized in several deployment scenarios; Local, remote, remote via the Cloud.

    As stated previously the default communications for software interaction is set to HTTPS / TLS 1.2.

    Depending on the Camera Platform (CPP) and firmware loaded on that platform, in combination with the deployment scenario, playback of encrypted video maybe slow to start, or fail. This can be caused by several factors

    • Network connectivity to the device: This effects the HTTPS certificate handshake time and the device loading the initial encrypted I-Frame to start playback
    • The device’s Resolution, base frame rate, and FPS of the recorded video vs connected bandwidth, if connecting remotely
    • The I-Frame Distance in the device’s encoder profile assigned to recording. Some devices are set to 255 by default, adjusting this to 60 or 30 can resolve issues.
    • GOP Structure: This should always be set to “IP”

    If dealing with UHD or MP cameras with high frame rates and bit rates, reducing the I-frame distance to 25 or lower can help resolve delayed playback issues based on the camera’s behavior

    Central_Support_10-1666271194360.png

     

    If reducing the above configurations does not resolve delayed or failing playback, the “Device Access” settings can be changed to RCP+.

    • This effects how applications communicate and negotiate with the device for services such as playback
    • Base communications and live video will still be via HTTPS TLS 1.2, as seen in the Wireshark capture below

    Central_Support_11-1666271228134.pngCentral_Support_12-1666271247007.png

    After Encryption has been configured and the recording process has been started, playback should be possible utilizing Video Security Client (VSC).

    Central_Support_13-1666271274645.png

     

    Edge Encryption Playback: Camera Web Interface


    When utilizing the device’s web interface to playback encrypted video on a “Locked Down” device, there are additional steps that must be taken in order to view playback

    • Default communications on all devices is set to HTTPS. This means the device’s HTTPS certificate must be added to the Windows Certificate store in order to be trusted

    Central_Support_14-1666271323398.png

    The simplest option is to utilize the Bosch Configuration Manager Micro CA, and create a Root certificate for the camera system. This process is detailed in the 2019 Lockdown guide and includes:

    • Creating a Certificate Signing Request on the video devices
    • Signing the CSR with the Root Certificate
    • Assigning the role of “HTTPS Server” to new certificate.

    The base result is a trusted relationship between the camera and the workstation.

    Central_Support_15-1666271352824.png
    Central_Support_16-1666271369705.png

     

    Version history
    Revision #:
    2 of 2
    Last update:
    ‎10-20-2022 03:11 PM
    Updated by:
     
    Contributors
    Icon--AD-black-48x48Icon--address-consumer-data-black-48x48Icon--appointment-black-48x48Icon--back-left-black-48x48Icon--calendar-black-48x48Icon--center-alignedIcon--Checkbox-checkIcon--clock-black-48x48Icon--close-black-48x48Icon--compare-black-48x48Icon--confirmation-black-48x48Icon--dealer-details-black-48x48Icon--delete-black-48x48Icon--delivery-black-48x48Icon--down-black-48x48Icon--download-black-48x48Ic-OverlayAlertIcon--externallink-black-48x48Icon-Filledforward-right_adjustedIcon--grid-view-black-48x48IC_gd_Check-Circle170821_Icons_Community170823_Bosch_Icons170823_Bosch_Icons170821_Icons_CommunityIC-logout170821_Icons_Community170825_Bosch_Icons170821_Icons_CommunityIC-shopping-cart2170821_Icons_CommunityIC-upIC_UserIcon--imageIcon--info-i-black-48x48Icon--left-alignedIcon--Less-minimize-black-48x48Icon-FilledIcon--List-Check-grennIcon--List-Check-blackIcon--List-Cross-blackIcon--list-view-mobile-black-48x48Icon--list-view-black-48x48Icon--More-Maximize-black-48x48Icon--my-product-black-48x48Icon--newsletter-black-48x48Icon--payment-black-48x48Icon--print-black-48x48Icon--promotion-black-48x48Icon--registration-black-48x48Icon--Reset-black-48x48Icon--right-alignedshare-circle1Icon--share-black-48x48Icon--shopping-bag-black-48x48Icon-shopping-cartIcon--start-play-black-48x48Icon--store-locator-black-48x48Ic-OverlayAlertIcon--summary-black-48x48tumblrIcon-FilledvineIc-OverlayAlertwhishlist