KNX Data Secure · AES-128 · TP bus · Group address security · ETS6 · 10 min read

KNX Data Secure: Application-Layer Encryption for Sensitive Group Addresses and Actuators

KNX Data Secure encrypts individual telegrams directly on the KNX TP bus — protecting sensitive group address communication at the application layer regardless of the physical medium or IP backbone security configuration. It is the appropriate security measure wherever physical access to the TP bus is a realistic threat.

KNX Data Secure overview

KNX Data Secure applies AES-128-CBC encryption and HMAC-SHA256 authentication at the KNX application layer — meaning individual KNX TP telegrams on the bus are encrypted. This is distinct from KNX IP Secure, which encrypts KNXnet/IP packets on the Ethernet backbone but leaves TP bus telegrams in plaintext.

FeatureKNX Data SecureKNX IP Secure
ProtectsKNX TP bus telegrams (application layer)KNXnet/IP packets (IP layer)
AlgorithmAES-128-CBC + HMAC-SHA256AES-128-CBC + HMAC-SHA256
Key scopePer-device unique keyBackbone key (project-wide)
Physical threatPhysical bus accessEthernet network access
Backwards compatibleYes — non-Secure devices coexist on same busNo — all IP routers must support Secure

Threats mitigated by Data Secure: eavesdropping on TP bus using a clip-on bus monitor (attacker needs physical access to cable tray or junction box), telegram injection by an attacker who has connected a malicious KNX device to the bus, and malicious devices added to the TP line that attempt to control secured actuators. Without Data Secure: any KNX device on the bus can send write telegrams to any group address, including door lock control group addresses.

Use cases: when Data Secure is required

KNX Data Secure is not required for all circuits — it adds telegram overhead and requires compatible devices on both sender and receiver sides. Prioritise Data Secure for circuits where an unauthorised telegram could have physical safety or security consequences.

Data Secure strongly recommended

  • Access control actuators (door lock relay, electric strike, magnetic lock)
  • Alarm panel KNX interface (arm/disarm commands)
  • CCTV NVR KNX trigger (recording enable/disable)
  • Fire shutter and smoke damper KNX interfaces
  • Evacuation lighting KNX control
  • Government and banking installations — all actuators

Data Secure rarely needed

  • Standard office or residential lighting control (low risk)
  • HVAC temperature setpoint control (low safety impact)
  • Blind/shutter position control (privacy concern, not safety)
  • Scene control buttons in non-restricted areas
  • Energy metering group addresses (read-only, no actuator)

Compatible devices

KNX Data Secure requires both the sending device (push-button or logic controller) and the receiving device (actuator) to be Data Secure capable. An encrypted telegram from a Secure push-button cannot be acted upon by a non-Secure actuator — the actuator discards it as an unrecognised format.

Data Secure capable device examples

Switch actuators:
  MDT AKS-0816.02   — 8×16A Data Secure switch actuator
  MDT AKS-0424.02   — 4×16A Data Secure switch actuator
  Gira 2094-00      — 8-channel Data Secure switch actuator
  ABB SA/S 8.10.2.2 — 8×10A switch actuator with Data Secure

Push-buttons / inputs:
  Gira 2093-00      — Push-button with Data Secure support
  MDT BE-GT2W.02    — Glass push-button with Data Secure
  ABB M4120-01      — 4-gang binary input with Data Secure

Logic / coupling:
  Gira X1           — Logic processor and gateway with Data Secure
  MDT SCN-IP100.02  — IP router with Data Secure gateway function
  Weinzierl KNX IP Interface 740 — with Data Secure support

Check: KNX Secure logo (lock icon) in device datasheet
ETS6: Data Secure capable devices show padlock icon
in device catalog and in the device properties panel

ETS6 Data Secure configuration

Data Secure is configured in ETS6 on a per-device basis. ETS6 generates unique random keys for each device and downloads them during the standard Full Device Configuration process. Keys are write-only — they cannot be read back from a commissioned device for security reasons.

ETS6 Data Secure device configuration

Per-device configuration in ETS6:
  Select device in topology → Properties panel
  Security tab → Data Secure: Enable (checkbox ON)
  Tool access code: set a 6-digit code (prevents unauthorised
  ETS6 parameter access to this device without the code)
  Key: generated automatically by ETS6 (unique per device)

Key properties:
  Generated: 128-bit random key per device
  Stored: in ETS6 project file (encrypted)
  Downloaded: to device during Full Device Configuration
  Cannot be read back: device stores key in write-only memory
  If key lost: must factory reset device to clear it,
  then re-download with new key from ETS6

Tool access code usage:
  Required when accessing device parameters in ETS6
  (prevents unauthorised configuration changes on-site)
  Store tool access codes in password manager
  Document in commissioning record (access-restricted copy)

Group address security levels

ETS6 allows each group address to be individually designated with a security level. This enables selective application of encryption — protecting only the sensitive group addresses while leaving performance-uncritical addresses unencrypted to minimise telegram overhead.

Security levelProtectionOverheadRecommended for
NoneNo security — standard KNX telegramNone (+0 bytes)Legacy compatibility, non-sensitive values (basic lighting)
AuthenticatedHMAC-SHA256 integrity only, no encryption+4 bytes auth tag, +6 bytes seqTemperature sensor values, energy readings — integrity without confidentiality
ConfidentialAES-128-CBC encryption + HMAC-SHA256 auth+10 bytes total overheadDoor lock control, alarm arm/disarm, access control — highest protection

Recommended security level assignment: access control group addresses (door lock, gate control, electric strike) — Confidential. Alarm system GAs (arm, disarm, panic) — Confidential. Temperature setpoint GAs — Authenticated (prevent tampering without full encryption overhead). Standard lighting on/off GAs — None (no practical security benefit, avoids overhead).

Mixed Secure and non-Secure on the same bus

KNX Data Secure devices and standard non-Secure devices can coexist on the same KNX TP line without interference. This backwards compatibility enables incremental security upgrades — starting with the highest-risk circuits while leaving others on standard non-Secure devices.

Mixed bus operation rules

Secured GAs (Confidential or Authenticated):
  Only Data Secure devices with correct key can send/receive
  Non-Secure devices receive encrypted telegram → cannot decrypt
  → Non-Secure device ignores the telegram (no action)

Non-secured GAs (None security level):
  Both Secure and non-Secure devices participate normally
  Standard KNX telegram — no overhead

Migration strategy for adding security incrementally:
  Phase 1: Add Data Secure actuators for access control circuits
           (replace existing door lock actuators with Data Secure models)
           Update ETS6, download, test
  Phase 2: Replace alarm panel KNX interface with Secure version
  Phase 3: Add Secure push-buttons for access-controlled areas
           (non-Secure push-buttons on same bus still work for
           non-secured GAs — lighting control unchanged)

Coexistence check:
  ETS6 topology scan: Secure devices show padlock icon
  Non-Secure devices show no lock icon
  Group Monitor: secured GAs show encrypted status in ETS6
  (ETS6 decodes them locally — other bus monitors see encrypted)

Performance impact

KNX Data Secure adds telegram overhead in terms of both byte count and processing time. For most building automation applications, this overhead is imperceptible to users — the additional latency is well within the range of acceptable response times for switch actuator control.

Telegram overhead breakdown

  • Authentication tag: 4 bytes (HMAC-SHA256 truncated)
  • Sequence number: 6 bytes (replay protection counter)
  • Total overhead: 10 bytes per secured telegram
  • Standard KNX telegram max payload: 14 bytes
  • Data Secure telegram max payload: 4 bytes (Confidential)
  • For 1-bit switching (on/off): payload = 1 bit → overhead irrelevant

Response time impact

  • Standard KNX telegram: 20–100ms end-to-end
  • Data Secure additional processing: +5–15ms
  • Total secured response: 25–115ms
  • Human perception threshold for light switching: ~150ms
  • Result: Data Secure overhead is imperceptible for switching
  • For multi-telegram scenes: small cumulative delay — acceptable

Key management and backup

KNX Data Secure keys are stored exclusively in the ETS6 project file. If the project file is lost without backup, all commissioned Secure devices must be factory reset and reprogrammed — a major remediation effort on large installations. Backup discipline is the single most important operational requirement for Data Secure deployments.

Key management and backup requirements

ETS6 project backup (contains all Data Secure keys):
  Backup frequency: after every programming session (daily minimum)
  Backup format: encrypted .knxproj file (ETS6 native)
  Backup locations:
    Primary: encrypted network share (RAID protected)
    Secondary: encrypted cloud storage (Backblaze B2, AWS S3)
    Tertiary: encrypted USB drive in physically secure location
  Password: strong (minimum 20 chars) stored in password manager

Test restore procedure (mandatory before handover):
  Restore backup .knxproj to second ETS6 installation
  Verify: all Data Secure devices listed with keys
  Verify: Group Monitor shows decrypted telegrams after restore
  Document: restore test date and result in commissioning record

Loss recovery (ETS6 project lost, no backup):
  Each Data Secure device must be factory reset
  Factory reset: device-specific procedure (see datasheet)
  Effect: clears Data Secure key AND KNX application
  Reprogram required: Full Device Configuration download
  Time estimate: 1 hour per 10 Data Secure devices
  For 50-device installation: estimated 5 hours minimum

Compliance and standards

KNX Data Secure can form part of the technical evidence for compliance with cyber security regulations applicable to buildings and their control systems. The specific applicability depends on building type and jurisdiction.

Relevant regulations and standards

  • NIS2 Directive (EU 2022/2555): critical infrastructure buildings — document KNX security measures as part of cyber security management system
  • UK Cyber Resilience for Connected Devices (PSTI Act 2024): buildings with connected automation systems
  • IEC 62280: security for railway communication systems — referenced for transport infrastructure KNX
  • ISO 27001: information security — KNX Data Secure as building system security control

Client security documentation

For government and critical infrastructure projects: prepare a KNX Data Secure implementation summary for client security review. Include: list of secured group addresses and security levels, device inventory with Data Secure status, ETS6 project backup procedure.

Provide ETS6 project excerpt (group address list with security levels) to client CISO for inclusion in risk register and security documentation. Do not include key values in any client-facing documentation.

Need KNX Data Secure for access control or safety-critical circuits?

We specify and commission KNX Data Secure actuators with ETS6 key management, group address security level assignment, and full commissioning documentation — suitable for NIS2-regulated buildings and government projects.

Request a quote →
Loading...
Back to top