The Security tab is used for managing key entries and device certificates for KNX Secure.
ETS projects with KNX Secure always require a project password. Without this, all the keys in use would be visible in the exported project (on the Security tab or in the XML structure).
- ETS projects with KNX Secure enabled always require the input of the project password when the project is imported or opened.
- If a project that is currently not a KNX Secure project becomes a KNX Secure project for the first time, for example if a KNX Secure device is added to the project, a project password shall be given (if none has been given yet).
KNX Secure types in the project
Both types of KNX Secure (KNX IP Secure and KNX Data Secure) can occur independently of one another (individually or jointly) in a KNX installation or in an ETS project. The rule at the most basic level is that devices can only communicate with one another only if all of the involved 'speak the same language', or in this case, use the same protocol.
Types of commissioning in the project
Secured KNX Secure devices can be put into operation by ETS together with KNX Secure devices in plain mode or plain KNX devices (without KNX Secure) in a project independently of each other.
KNX IP Secure
It is conceivable that individual IP devices could communicate with each other plain devices while all KNX Secure IP couplers were secured. These IP devices would then be unable to send or receive a telegram on a line which is located topologically below a secured KNX IP Secure coupler. The example here implies the use of different routing multicast addresses.
KNX Data Secure
This is the normal case if, for example, parts of the lighting operate in plain and the part for door communication (access) is secured. Both partial areas use the same bus, but they are not functionally linked with each other (via Group Addresses).
Types of commissioning on the device
Runtime security (KNX IP Secure/KNX Data Secure) and commissioning security for the (device level) can be combined for a KNX Secure device, (e.g. secured start-up of a device, but plain communication of the same to the runtime).
When there is secured communication in the runtime, the commissioning of the device is always carried out by ETS in secured mode.
|KNX IP Secure||KNX Data Secure|
|Secured devices can only communicate with devices which are also secured. A mixture of secured KNX IP Secure couplers with KNX IP Secure devices in plain mode or simply plain KNX IP devices, for example, does not work (the latter two cannot interpret secured telegrams).||
Secured devices or Group Addresses with security enabled can only communicate with other KNX devices as long as all Group Objects connected with a Group Address of all these devices have also the security enabled (and therefore support KNX Data Secure).
Manage Device Certificates
This function allows the export of complete key datasets (keyring) from the associated project so that they can be used in a visualization, for example, or to archive them additionally (outside of the project).
- A password for securing the security relevant data in the export file is required for this and it is requested before the export (it will be not encrypted the file itself, but the security relevant data in this file with the password).
- The same password guidelines apply as for the project password.
Devices which support KNX Secure require additional information for this. It is provided by the KNX manufacturers along with these devices.
- The contents of a device certificate include the serial number (6 characters) and the factory key (16 characters) of a KNX Secure device, yielding a 24 character string when they are put together.
- The assignment of a device certificate or of the factory key contained in it to a device in the project is ultimately transferred via the serial number (see point 3).
The following information is displayed in the table in ETS.
|Serial Number||Unique Device Hardware ID|
|Factory Key (FDSK)||Initial key from the factory; different for every KNX Secure device.|
|Individual Address and the name of the device||This field is initially blank after import of the certificate. When a device is used in a project and is initially downloaded, there is a comparison of the Serial Number read from the device with those from the device certificates. When there is a match, the Individual Address or the name of the device is then visible here.|
Handling the Device Certificates can be done via the Device Certificate toolbar. For more information see here.
|Triggers the add certificate dialog so that a certificate can be added.|
Deletes a selected certificate.
Deletion is disabled if the corresponding device has been previously securely downloaded (initial Factory Key needs to be preserved for ETS, e.g. for reprogramming after device - reset)