Rate this page:

Secure Media

Secure Media uses encryption to ensure that the call media and associated signaling remains private during transmission. Transport Layer Security (TLS) provides encryption for SIP signaling. Secure Real-time Transport Protocol (SRTP) provides encryption for call content/media packets.

SRTP provides a framework for the encryption of RTP & RTCP. RFC 4568, Session Description Protocol (SDP) Security Description (SDES) for Media Streams, defines such a protocol specifically designed to exchange cryptographic material using a newly defined SDP crypto attribute.


You can enable or disable Secure Media in your SIP Domain. It is disabled by default.

You can expect the following:

  • Enabled: TLS must be used to encrypt SIP messages and SRTP must be used for the media packets. Any non-encrypted calls will be rejected.
  • Disabled: RTP must be used for media packets. SIP messages may be sent in the clear or using TLS. Any SRTP encrypted calls will be rejected.
  • SRTP supports the following crypyto suites: AES_CM_128_HMAC_SHA1_80 and AES_CM_128_HMAC_SHA1_32. Both may be included in an order of preference.
  • The optional master key identifier (MKI) parameter is not supported


Ensure you configure secure=true parameter as part of SIP URI to secure media in SIP outbound calls.

<?xml version="1.0" encoding="UTF-8"?>

The default port 5061 will be used for TLS.

  • Only a single crypto suite for SRTP will be included: AES_CM_128_HMAC_SHA1_80
  • The optional master key identifier (MKI) parameter is not supported

TLS/SRTP support with Asterisk

Asterisk ships by default with chan_sip driver and works well with Twilio. However, if you have some reason to run PJSIP driver with Asterisk, please note the following:

Here is a guide to installing a non-bundled version of PJSIP. Change the version to 2.5.5 in the steps.

Asterisk 13.8 cert2 defaults to PJSIP 2.5 which will not work with Twilio for TLS/SRTP purposes. Non-encrypted calls will still work.

Make sure to use the latest PJSIP driver, which at this time is 2.5.5.

You may see following message in your log:

ERROR[10886]: pjproject:0 <?>: tlsc0x7f217c03 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!

This message can be ignored.

Rate this page:

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.

Loading Code Sample...

        Thank you for your feedback!

        Please select the reason(s) for your feedback. The additional information you provide helps us improve our documentation:

        Sending your feedback...
        🎉 Thank you for your feedback!
        Something went wrong. Please try again.

        Thanks for your feedback!