Secure Call Routing Through a Romania-Hosted PBX

Three layers: SIP over TLS (port 5061) to protect signalling metadata in transit, SRTP for media encryption, and optionally ZRTP at the endpoint pair for key agreement that bypasses any infrastructure key escrow. Asterisk supports the first two natively. ZRTP requires endpoint support (Jitsi Desktop, Linphone, some Snom and Yealink phones).

What this protects against: passive network observers, carrier-side metadata harvesting (for the leg covered by TLS), opportunistic media interception. What it does not protect against: the PBX operator themselves having access to media if SRTP terminates at the PBX, lawful access compelled at the PBX.

We provision Let's Encrypt certificates by default for SIP TLS. For organisations that want their own CA or commercial certs, we install custom material. Cipher suites tuned to TLS 1.3 with AEAD ciphers. SIP over TLS 1.2 fallback supported for legacy endpoints but disabled in strict mode.

SRTP keyed via SDES (default) or DTLS-SRTP (WebRTC compatible). For end-to-end key agreement bypassing the PBX, ZRTP runs between endpoint pairs without involving the server. Asterisk passes ZRTP through transparently when it does not need to transcode media.

Constraint: transcoding (Opus to G.711, e.g.) breaks end-to-end SRTP and ZRTP because the PBX must decrypt to transcode. Use matching codecs end-to-end if you need true end-to-end encryption.

EU peering, no blanket data retention, NVMe storage. Voice-grade VPS: 2-8 EPYC vCPU, 4-32GB ECC, 50-500GB NVMe, 1Gbps. CPU overhead for SRTP is roughly 10-15% over plain RTP.

Secure routing reduces network-observer visibility. It does not turn a PBX into Signal. If your threat model includes the PBX operator, ZRTP between endpoints is mandatory and the PBX must not transcode.

Related: Voice VPS pricing, Iceland alternative, SIP trunk privacy Romania.