KNX Data Secure: Application-Layer Encryption for Sensitive Group Addresses and Actuators
KNX Data Secure encrypts individual telegrams directly on the KNX TP bus — protecting sensitive group address communication at the application layer regardless of the physical medium or IP backbone security configuration. It is the appropriate security measure wherever physical access to the TP bus is a realistic threat.
KNX Data Secure overview
KNX Data Secure applies AES-128-CBC encryption and HMAC-SHA256 authentication at the KNX application layer — meaning individual KNX TP telegrams on the bus are encrypted. This is distinct from KNX IP Secure, which encrypts KNXnet/IP packets on the Ethernet backbone but leaves TP bus telegrams in plaintext.
| Feature | KNX Data Secure | KNX IP Secure |
|---|---|---|
| Protects | KNX TP bus telegrams (application layer) | KNXnet/IP packets (IP layer) |
| Algorithm | AES-128-CBC + HMAC-SHA256 | AES-128-CBC + HMAC-SHA256 |
| Key scope | Per-device unique key | Backbone key (project-wide) |
| Physical threat | Physical bus access | Ethernet network access |
| Backwards compatible | Yes — non-Secure devices coexist on same bus | No — all IP routers must support Secure |
Threats mitigated by Data Secure: eavesdropping on TP bus using a clip-on bus monitor (attacker needs physical access to cable tray or junction box), telegram injection by an attacker who has connected a malicious KNX device to the bus, and malicious devices added to the TP line that attempt to control secured actuators. Without Data Secure: any KNX device on the bus can send write telegrams to any group address, including door lock control group addresses.
Use cases: when Data Secure is required
KNX Data Secure is not required for all circuits — it adds telegram overhead and requires compatible devices on both sender and receiver sides. Prioritise Data Secure for circuits where an unauthorised telegram could have physical safety or security consequences.
Data Secure strongly recommended
- Access control actuators (door lock relay, electric strike, magnetic lock)
- Alarm panel KNX interface (arm/disarm commands)
- CCTV NVR KNX trigger (recording enable/disable)
- Fire shutter and smoke damper KNX interfaces
- Evacuation lighting KNX control
- Government and banking installations — all actuators
Data Secure rarely needed
- Standard office or residential lighting control (low risk)
- HVAC temperature setpoint control (low safety impact)
- Blind/shutter position control (privacy concern, not safety)
- Scene control buttons in non-restricted areas
- Energy metering group addresses (read-only, no actuator)
Compatible devices
KNX Data Secure requires both the sending device (push-button or logic controller) and the receiving device (actuator) to be Data Secure capable. An encrypted telegram from a Secure push-button cannot be acted upon by a non-Secure actuator — the actuator discards it as an unrecognised format.
Data Secure capable device examples
Switch actuators: MDT AKS-0816.02 — 8×16A Data Secure switch actuator MDT AKS-0424.02 — 4×16A Data Secure switch actuator Gira 2094-00 — 8-channel Data Secure switch actuator ABB SA/S 8.10.2.2 — 8×10A switch actuator with Data Secure Push-buttons / inputs: Gira 2093-00 — Push-button with Data Secure support MDT BE-GT2W.02 — Glass push-button with Data Secure ABB M4120-01 — 4-gang binary input with Data Secure Logic / coupling: Gira X1 — Logic processor and gateway with Data Secure MDT SCN-IP100.02 — IP router with Data Secure gateway function Weinzierl KNX IP Interface 740 — with Data Secure support Check: KNX Secure logo (lock icon) in device datasheet ETS6: Data Secure capable devices show padlock icon in device catalog and in the device properties panel
ETS6 Data Secure configuration
Data Secure is configured in ETS6 on a per-device basis. ETS6 generates unique random keys for each device and downloads them during the standard Full Device Configuration process. Keys are write-only — they cannot be read back from a commissioned device for security reasons.
ETS6 Data Secure device configuration
Per-device configuration in ETS6: Select device in topology → Properties panel Security tab → Data Secure: Enable (checkbox ON) Tool access code: set a 6-digit code (prevents unauthorised ETS6 parameter access to this device without the code) Key: generated automatically by ETS6 (unique per device) Key properties: Generated: 128-bit random key per device Stored: in ETS6 project file (encrypted) Downloaded: to device during Full Device Configuration Cannot be read back: device stores key in write-only memory If key lost: must factory reset device to clear it, then re-download with new key from ETS6 Tool access code usage: Required when accessing device parameters in ETS6 (prevents unauthorised configuration changes on-site) Store tool access codes in password manager Document in commissioning record (access-restricted copy)
Group address security levels
ETS6 allows each group address to be individually designated with a security level. This enables selective application of encryption — protecting only the sensitive group addresses while leaving performance-uncritical addresses unencrypted to minimise telegram overhead.
| Security level | Protection | Overhead | Recommended for |
|---|---|---|---|
| None | No security — standard KNX telegram | None (+0 bytes) | Legacy compatibility, non-sensitive values (basic lighting) |
| Authenticated | HMAC-SHA256 integrity only, no encryption | +4 bytes auth tag, +6 bytes seq | Temperature sensor values, energy readings — integrity without confidentiality |
| Confidential | AES-128-CBC encryption + HMAC-SHA256 auth | +10 bytes total overhead | Door lock control, alarm arm/disarm, access control — highest protection |
Recommended security level assignment: access control group addresses (door lock, gate control, electric strike) — Confidential. Alarm system GAs (arm, disarm, panic) — Confidential. Temperature setpoint GAs — Authenticated (prevent tampering without full encryption overhead). Standard lighting on/off GAs — None (no practical security benefit, avoids overhead).
Mixed Secure and non-Secure on the same bus
KNX Data Secure devices and standard non-Secure devices can coexist on the same KNX TP line without interference. This backwards compatibility enables incremental security upgrades — starting with the highest-risk circuits while leaving others on standard non-Secure devices.
Mixed bus operation rules
Secured GAs (Confidential or Authenticated):
Only Data Secure devices with correct key can send/receive
Non-Secure devices receive encrypted telegram → cannot decrypt
→ Non-Secure device ignores the telegram (no action)
Non-secured GAs (None security level):
Both Secure and non-Secure devices participate normally
Standard KNX telegram — no overhead
Migration strategy for adding security incrementally:
Phase 1: Add Data Secure actuators for access control circuits
(replace existing door lock actuators with Data Secure models)
Update ETS6, download, test
Phase 2: Replace alarm panel KNX interface with Secure version
Phase 3: Add Secure push-buttons for access-controlled areas
(non-Secure push-buttons on same bus still work for
non-secured GAs — lighting control unchanged)
Coexistence check:
ETS6 topology scan: Secure devices show padlock icon
Non-Secure devices show no lock icon
Group Monitor: secured GAs show encrypted status in ETS6
(ETS6 decodes them locally — other bus monitors see encrypted)Performance impact
KNX Data Secure adds telegram overhead in terms of both byte count and processing time. For most building automation applications, this overhead is imperceptible to users — the additional latency is well within the range of acceptable response times for switch actuator control.
Telegram overhead breakdown
- Authentication tag: 4 bytes (HMAC-SHA256 truncated)
- Sequence number: 6 bytes (replay protection counter)
- Total overhead: 10 bytes per secured telegram
- Standard KNX telegram max payload: 14 bytes
- Data Secure telegram max payload: 4 bytes (Confidential)
- For 1-bit switching (on/off): payload = 1 bit → overhead irrelevant
Response time impact
- Standard KNX telegram: 20–100ms end-to-end
- Data Secure additional processing: +5–15ms
- Total secured response: 25–115ms
- Human perception threshold for light switching: ~150ms
- Result: Data Secure overhead is imperceptible for switching
- For multi-telegram scenes: small cumulative delay — acceptable
Key management and backup
KNX Data Secure keys are stored exclusively in the ETS6 project file. If the project file is lost without backup, all commissioned Secure devices must be factory reset and reprogrammed — a major remediation effort on large installations. Backup discipline is the single most important operational requirement for Data Secure deployments.
Key management and backup requirements
ETS6 project backup (contains all Data Secure keys):
Backup frequency: after every programming session (daily minimum)
Backup format: encrypted .knxproj file (ETS6 native)
Backup locations:
Primary: encrypted network share (RAID protected)
Secondary: encrypted cloud storage (Backblaze B2, AWS S3)
Tertiary: encrypted USB drive in physically secure location
Password: strong (minimum 20 chars) stored in password manager
Test restore procedure (mandatory before handover):
Restore backup .knxproj to second ETS6 installation
Verify: all Data Secure devices listed with keys
Verify: Group Monitor shows decrypted telegrams after restore
Document: restore test date and result in commissioning record
Loss recovery (ETS6 project lost, no backup):
Each Data Secure device must be factory reset
Factory reset: device-specific procedure (see datasheet)
Effect: clears Data Secure key AND KNX application
Reprogram required: Full Device Configuration download
Time estimate: 1 hour per 10 Data Secure devices
For 50-device installation: estimated 5 hours minimumCompliance and standards
KNX Data Secure can form part of the technical evidence for compliance with cyber security regulations applicable to buildings and their control systems. The specific applicability depends on building type and jurisdiction.
Relevant regulations and standards
- NIS2 Directive (EU 2022/2555): critical infrastructure buildings — document KNX security measures as part of cyber security management system
- UK Cyber Resilience for Connected Devices (PSTI Act 2024): buildings with connected automation systems
- IEC 62280: security for railway communication systems — referenced for transport infrastructure KNX
- ISO 27001: information security — KNX Data Secure as building system security control
Client security documentation
For government and critical infrastructure projects: prepare a KNX Data Secure implementation summary for client security review. Include: list of secured group addresses and security levels, device inventory with Data Secure status, ETS6 project backup procedure.
Provide ETS6 project excerpt (group address list with security levels) to client CISO for inclusion in risk register and security documentation. Do not include key values in any client-facing documentation.
Need KNX Data Secure for access control or safety-critical circuits?
We specify and commission KNX Data Secure actuators with ETS6 key management, group address security level assignment, and full commissioning documentation — suitable for NIS2-regulated buildings and government projects.
Request a quote →