KNX Secure explained: when to enable signing and when to skip it

KNX Secure is a layer that adds AES-128 authentication and freshness to bus telegrams. It comes in two flavours. KNX Data Secure runs at the application layer and protects individual group addresses end-to-end, regardless of physical medium. KNX IP Secure protects backbone traffic between IP routers and tunneling clients.

Decision is straightforward. If the bus reaches places where physical access cannot be controlled (corridors, riser shafts, public balconies), enable Data Secure on the affected group addresses. If your KNXnet/IP routing crosses a hostile network segment such as a tenant LAN, enable IP Secure. For a private villa where the bus runs entirely inside locked technical rooms, the threat model is low and the gain from signing is small.

Performance: a Data Secure telegram is roughly 20 to 25 bytes longer than a standard one. On a busy bus that approaches its telegram-per-second limit, the extra length matters. For a residential bus running at 5 to 30 telegrams per second on average, you will not notice.

Key management is the harder part. Every Secure device ships with a Factory Default Setup Key (FDSK), which appears as a sticker QR code or printed string. Scan it into ETS6 during commissioning so the project key set is sealed. Lose the FDSK and the device must be returned to factory for re-keying.

A practical rule: enable Secure on access control, alarm, and remote management functions even on small projects. The hardware cost is the same and you keep the option open if requirements grow.