Wire-Lists #46 – Leveraging Encryption With the 4 Key Policies

Social Media WireLists46 300pxDo you record reality TV, legal proceedings, corporate meetings, sports or other situations where you need to keep your audio signal away from prying ears? For those instances where your transmission needs to be kept secure, without sacrificing audio quality, Lectrosonics offers AES-256 encryption in our digital wireless systems. Receivers that support encryption are the DCHR, DSQD, M2Ra, DCR822, DSR4 and the DSR.

What Is AES-256?

The Advanced Encryption Standard (AES) is the only publicly-accessible, military-grade code available for protecting highly confidential data. AES uses symmetric key encryption to scramble the signal, and only those who have the corresponding key can decrypt it. AES-256, with a key length of 256 bits, supports the largest bit size over a small bandwidth and is nearly unbreakable via brute force approach.
An encryption key is first created in the receiver. The key is then synced with an encryption-capable digital transmitter, via the IR port. The audio will be encrypted and can only be decoded if both receiver and any associated transmitters have the matching encryption key. If you are trying to transmit an audio signal and the keys do not match, no sound will be heard.


CTR Mode

The Lectrosonics digital wireless systems uses CTR mode, which cleverly turns the encryption algorithm on its head, encrypting a counter (which never repeats), and then using that encrypted counter value as a "key" to encrypt the audio. This counterintuitive method offers several important advantages. One is that we are able to ensure that no counter value is reused over the entire life of the equipment, thus slamming the door on differential attacks. Another is that no latency is added by the encryption system, because counter values can be encrypted in advance.

The Four Key Policies

Depending on the level of security that you need (and depending on the receiver you are using), there are four possible options to consider. You will find these in the top level IR Sync and Encryption Menu of each unit

Universal -The default setting on all encryption-capable Lectrosonics units. A unique key does not have to be created for each situation. Simply set the transmitter and receiver to Universal key type. This prevents someone with a scanner or a digital demodulator from decoding the audio, but it is not as secure as setting a unique key.

Shared – Useful when you need multiple transmitters and receivers connected, but require more security (such as for sports coverage) than the Universal type. There is an unlimited number of shared keys available. Once a key is generated by the receiver and passed to a transmitter, it is then available to be shared by that transmitter and receivers via their IR ports.

Standard – A very high level of security. A unique key is created in the receiver that is then shared with its transmitters, but cannot be shared transmitter to transmitter, transmitter to receiver or receiver to receiver. The encryption keys are unique to the receiver, and there are only 256 key instances available to be transferred. The receiver tracks the number of keys generated and the number of times a key is transferred. Once a Standard key has been transferred 256 times, you will be alerted that a new key must be created.

Volatile –This key policy offers the highest level of security available in the AES-256 encryption. With the Volatile key policy in place, if the transmitter is turned off or the battery is replaced, the key needs to be re-sent from the receiver. If the receiver is powered off, the key is lost and a new one must be generated in the receiver and transferred to the transmitters.

Setting Up Key Policies, Generating Keys and Sync’ing Transmitters

1) Both your receiver and transmitters must be set to the same key policy. If you see “Key Mismatch” on one or more of your receiver channels, even though the frequency looks correct and you’re getting RF but no audio, this is the reason why.


2) For the Universal Key, if you haven’t changed the default settings, they are where you need them to be for this key. As mentioned, Universal is the default setting from the factory.

3) If the policy has been changed, you can manually reset it in the receiver by going to the IR Sync and Encryption Menu, choosing Encryption Key Management, selecting Universal as the key type, then pressing Menu/Select to confirm, then OK.

4) In your transmitter menu, scroll down to Key Type, then use the arrows to select Universal. Again, resetting either the transmitter or receiver to default settings will return the key type to Universal.


1) With the key policy set to Shared in both your transmitter and receiver, now you must generate a new key and transfer that key from the receiver to the transmitters you plan to use.

2) First, select the key type from Encryption Key Management, selecting Shared as the key type, then pressing Menu/ Select to confirm, then OK. You’ll see a message indicating that you need to generate a key. To do this, use the arrows to highlight the Create Key button, then select the Menu button to proceed. There will be a message that indicates that “all transmitters associated will require a new key.” Move the cursor to OK and press Menu select to confirm.

3) Now, along with syncing transmitters with frequency information, we must also send the key before the channels will work. The transmitter must also be set to Shared key

In the IR Sync and Navigation menu, go to Sync Key and press Menu Select to highlight the Send Key button. Hold the transmitter up to the IR window and press Menu/Select twice to send the key to the transmitter.

From here, additional receivers that are set to the Shared key policy can get the key from this transmitter. On these units, navigate to Sync Key and use the arrows to select “Get Key,” and press Menu/Select. The receiver will wait for the transmitter to send the key. The way to do this is to move down the main menu of the transmitter, past Key Type, past Wipe Key to Send Key. Press Menu/Select and you’ll see Share with an arrow pointing to the Up arrow button. Hold the transmitter IR window close (within a few inches) to the receiver IR window and press the Up button. You should see “success” on the receiver.


With the key policy set to Standard, as with Shared, you must first generate a new key, then send it to the transmitters.

1) Start by selecting the key type as Standard in your transmitter.

2) Next, navigate to IR sync and Encryption in in the receiver, then select Standard, followed by Menu/Select to confirm, then OK.

3) Generate a key the same way as you would for Shared.

The main difference between Shared and Standard is that now, the key that you created in the receiver can only be sent to the transmitters directly being used with it. It can’t be shared to any other devices, and while in Standard, a transmitter does not show Send Key in the menu.


This is the most robust encryption option available. If the transmitter is powered off, it must be re-sync’d. If the receiver is powered off, a new key must be generated and sent to the transmitter. In encryption terms, this is the “one time use” key management policy.

The process to create and send keys is identical to that for Standard and Shared.

We hope that this brief primer explains Encryption in a way that allows you to take the best advantage for your specific production situation. Still have questions? Reach out to us on our Facebook group, email our This email address is being protected from spambots. You need JavaScript enabled to view it. (Link to: ) or reach out through our new This email address is being protected from spambots. You need JavaScript enabled to view it..