← All knowledge guidesKNX Security

KNX Secure Explained

Encryption and authentication for KNX. What IP Secure and Data Secure protect, and why it matters under the EU Cyber Resilience Act.

As buildings connect to networks and the internet, an unsecured automation bus becomes an attack surface. KNX Secure is the KNX Association's answer: standardised encryption and authentication that protect commands and configuration from eavesdropping and tampering. With the EU Cyber Resilience Act raising the baseline for connected products, KNX Secure is shifting from optional to expected on serious projects.

Why KNX needs security

An open bus is convenient — and exposed.

Classic KNX telegrams are unencrypted. On an isolated twisted-pair bus inside a private home that is rarely a practical risk, but the moment KNX is bridged to IP networks, Wi-Fi or remote access, unprotected traffic can be intercepted or injected.

KNX Secure adds confidentiality (encryption) and authenticity (only trusted devices are accepted), closing that gap without abandoning the KNX standard.

  • Classic KNX telegrams are sent in clear text
  • IP bridging / remote access widens the attack surface
  • KNX Secure adds encryption + authentication
  • Standardised by the KNX Association — interoperable

KNX Secure is part of the certified KNX standard — not a proprietary add-on. Secure and non-secure certified devices interoperate, but a function is only protected if all devices on it support and enable Secure.

Virasmart — certified Ekinex KNX partner

KNX IP Secure vs KNX Data Secure

Two complementary layers.

KNX IP Secure encrypts KNXnet/IP traffic — the tunnelling and routing that crosses IP networks between lines, buildings or remote sites. It wraps KNX in an encrypted channel so anything on the LAN/WAN cannot read or replay it.

KNX Data Secure protects at the telegram level on the bus itself: group communication is encrypted and authenticated end-to-end between devices, regardless of medium. The two are used together for defence in depth.

  • IP Secure — encrypts KNXnet/IP (tunnelling & routing)
  • Data Secure — encrypts/authenticates telegrams end-to-end
  • IP Secure protects the network path; Data Secure protects the data
  • Use both for layered protection
IP Secure scopeKNXnet/IP traffic
Data Secure scopeGroup telegrams
Configured inETS
Key materialDevice certificate / FDSK

Commissioning KNX Secure

Security is configured in ETS, with care around keys.

Secure devices ship with a Factory Default Setup Key (FDSK), usually printed as a code/QR on the device. During commissioning ETS reads the FDSK and manages per-project keys; the project file then holds sensitive key material and must be protected accordingly.

Plan Secure from the design stage: choose Secure-capable devices, record FDSKs, and protect the .knxproj. Retrofitting Secure later means re-commissioning affected devices.

  • Record each device's FDSK (printed code / QR) at install
  • ETS manages per-project keys and authentication
  • Protect the .knxproj — it holds key material
  • Specify Secure-capable devices from the design stage

KNX Secure and the EU Cyber Resilience Act

Regulation is raising the security baseline.

The EU Cyber Resilience Act (CRA) sets cybersecurity requirements for products with digital elements placed on the EU market, phasing in through the mid-2020s. Building-automation components fall within its scope, pushing security from a nice-to-have to a compliance expectation.

Specifying KNX Secure today future-proofs a project: it aligns with the regulatory direction and protects the owner's privacy and the building's safety functions.

  • CRA sets EU cybersecurity requirements for connected products
  • Building-automation devices fall in scope
  • Secure-by-design becomes the expectation, not the exception
  • Specifying Secure now future-proofs the installation

Planning a project where security matters — hospitality, commercial, or a privacy-conscious home? Virasmart designs KNX Secure installations across the Baltics. Talk to us early.

Securing a KNX project?

Virasmart designs and commissions KNX Secure installations — encryption, authentication and clean key management — for projects across the Baltics.