Newbie questions: z-wave secure connection?

hi all,

I am in the process of re-do my z-wave/HA setup. I begin by using a dedicated x86 computer with Debian 11 (using this guide: Installing Home Assistant Supervised on Debian 11). I also factory-reset all my devices, including Inovelli dimmers and Schlage Smart Connect Deadbolt.

During the installation, I left the security keys blank, as I thought they would be generated automatically for me.

The problem begin when I tried to add all my z-wave devices one-by-one. All of them were added using the un-secured connection, as there was no options to add them securely. Furthermore, when I tried to add my Schlage deadbolt, while it can be added, the model/make were “unknown”, thus I was not able to add any integration/automations to it.

My questions are:

  • where can I find my network keys (if they were generated at all)?
  • how to I re-connect my z-wave devices from insecured connection to secured connection?

my main goal is to add the Schlage deadbolt to my HA, but I am not able to find a way to do so.

any help is very much appreciated,

You don’t - you create them. That’s unfortunate… You’ll have to create some keys and add them.

And you’ll have to exclude any device that NEEDs secure join.

Your locks - they require a secure join. You’ll have to exclude / add those. No choice. Your light switches, probably not…You will have to be the judge of that. Personally, the only things I join securely are exterior covers (i.e. Garage Doors) and Locks… If I were running ZWave Security sensors I’d also join them with security, but beyond locks, portals and access control… meh. Don’t need the overhead.

Thanks for the prompt reply! I was following this guide (Z-Wave JS - Home Assistant) which indicated that the keys are generated:

For new installations, network security keys will be automatically generated for you.

Can you shed some lights as how to generate news after installation? Most of the guides I found were depreciated (i.e. not relevant to z-wave js),

regards,

If you are using the official Z-Wave JS Add-on, then yes, the keys are generated automatically. They will be visible in the add-on configuration.

The problem begin when I tried to add all my z-wave devices one-by-one. All of them were added using the un-secured connection, as there was no options to add them securely.

The default inclusion strategy picks security if it’s supported. If a device supports S2, then it includes with S2 security. If not, then it only includes locks and barrier devices with S0. Lights and sensors are not included with security as that can severely reduce network performance. If your non-lock devices were not included securely, than that either means S2 is not supported, or the S2 bootstrapping failed. The latter event would produce a warning message after the inclusion. If there was no warning message, then S2 is not available for those devices.

Furthermore, when I tried to add my Schlage deadbolt, while it can be added, the model/make were “unknown”, thus I was not able to add any integration/automations to it.

Locks can be difficult to add, especially older ones. Those need to be added near the controller. “Unknown” could mean multiple things, either there were errors during the interview, or the device is missing from the device database. For the former, you’ll have to try inclusion again. Make sure the USB stick is connected to a USB extension cord and outside of a server rack if applicable.

again, really appreciate the near-realtime reply.

I am using Zooz 700 Series Z-Wave Plus S2 USB Stick ZST10 700, which I assumed to support S2 security because it is a 700-series device. You are right, when I added dimmer switches I did get a warning message after the inclusion.

Can you please elaborate what you mean by S2 bootstrapping failed, and how to correct it? I don’t mind re-installing HA at this point as it is a learning process for me, and I can manage re-adding 20+ at this point.

regards,

I am using Zooz 700 Series Z-Wave Plus S2 USB Stick ZST10 700, which I assumed to support S2 security because it is a 700-series device. You are right, when I added dimmer switches I did get a warning message after the inclusion.

The end devices need to support S2. On the controller side, it’s the software (Z-Wave JS) that implements S2.

Can you please elaborate what you mean by S2 bootstrapping failed, and how to correct it?

If there are any timeouts or communication errors during the S2 security bootstrapping process, the entire sequence is aborted and the device is included insecurely. The only solution is to leave it insecure, or re-include it.

understood.

I have about 20+ (combined) Inovelli/GE dimmer switches throughout the house, with the Zooz USB centrally located at the main floor (surrounded by 6 z-wave dimmer switches). The deadbolt is at the corner of the house, which is 2-walls from the nearest z-wave dimmer switch.

Thus, if this is a time-out issue on inclusion, can I

  1. place a battery-powered z-wave device (motion sensor, etc, which I have quite a few) between the deadbolt and the nearest z-wave dimmer to act as a relay? or,
  2. the only thing that will help is to add more none-battery powered devices?

It is getting very difficult to buy good quality (i.e. Inovelli) dimmer switches (which I need another 20+ for my house) in Canada. I really hope that Inovelli can address this issue.

The deadbolt is at the corner of the house, which is 2-walls from the nearest z-wave dimmer switch.

That may just be too far away to include properly. You might have better luck by removing the deadbolt and including it next to the controller, if that’s possible (I know some models it is). Then when you re-install it in the door, perform a node heal.

Battery devices can’t relay, so adding more won’t do anything for the network health. Only mains-powered devices can act as relays.

Make sure all your Inovelli switches are updated to the latest firmware versions. I know some previous versions were problematic. One of the Inovelli founders also has said they have seen performance problems with S2 and suggest including insecure. I can’t say I’ve seen the same performance problems, but I only have a handful of S2 devices and none are Inovelli.

thanks again.

I am actually in a situation in which I can buy a(another) almost-new Schlage z-wave deadbolt for less than 1/2 of the price new, but the uncertainty of whether it will work with HA is what is stopping me.

I do have an un-installed z-wave on/off switch that I can install near the existing deadbolt. Will try to install it in the next few days and report back.

ps. forgot to mention that the model number for my existing Schlage deadbolt is BE469ZP, which I could find in the Z-wave JS database (Z-Wave JS Config DB Browser), thus I think it is well-supported.

You will need a repeating device that supports Beaming (dont worry most do these days if they repeat) next to that lock to act as store and forward when the battery is asleep.

If it’s the ZWPlus (I think the 469 is Plus) then the repeater will likely help and it will probably include properly after you do that.

If it’s Non plus (does not have a programming button inside the lock case) then you MUST put the zwave stick literally on top of the lock body to include it. Once it’s included you can move your stick back and repair to fix the bogus route.

1 Like

In fact, Z-Wave is protected with strong AES 128-bit encryption. Once you’ve paired your new device to your central hub, it’s extremely difficult for anyone to unpair it and take control; security experts have estimated that it would take billions of years to break AES 128 encryption.
→ MyBalanceNow