Z-wave aeotec z-stick 7 not secure

Hi, hope I chose the correct category and tags for this, if not please direct me to the right place.

I have a raspberry pi 4 running home assistant and recently added a aeotec z-stick 7 with a few devices. I always chose secure inclusion when adding a new device. However after that latest update (core-2021.10) I became aware that under device information in home assistant all devices said Secure: no. I know all devices support either s0 or s2, and the z-stick should support s2 as well. Now if I look at the z-stick device info, it also says Secure: no.

Have I done something wrong?
Are these devices not supposed to be secure after secure inclusion?
What exactly does “Secure: no” mean?
Is there a good way to see if s0 or s2 is used by a device?

PS: installed the z-wave js add-on to check the config, and there is a network key and s0 and s2 key.

Best regards!

That doesn’t apply to controllers.

You mean the secure property? But all other devices are also regarded as not secure. Have an aeotec multisensor 6 e.g. that should support secure inclusion.

Actually now I noticed that the network key has disappeared from the config. Now it just says
network_key: ''
Is that normal?

I was referring specifically to the controller, that attribute doesn’t have any meaning.

For the other devices, if the flag says “Secure: No”, then it does mean they weren’t included securely.

It’s preferable not to include those kinds of devices with S0 anyways, because of the bad network performance.

network_key is the deprecated key value. With the current version of the official add-on, that key is now s0_legacy_key. https://github.com/home-assistant/addons/blob/605570d63b3afa792e8ed4908dcf863af7c829c9/zwave_js/DOCS.md#security-keys

1 Like

Performance is not an issue, since I will only have very simple sensors with small amount of data transfere. I noticed when i stopped the add-on and checked the logs it claimed I am missing a network key (even though it was set during set) and suggested using the same as the s0 key. Did that and started again, the log said now both network and s0 keys are the same and ok! Will try to exclude and include a device again.

You would be surprised at how bad S0 is. It may work out fine in your case. However, if you do notice issues, that’s one of the first things to look at.

You will be required to use the Advanced Inclusion dialog to select Legacy security. The default inclusion method does not enable S0 for devices that it isn’t generally recommended for (only locks and other security actuator devices).

Ok now I captured the log message after stopping the add-on:

INFO: No 'network_key' detected, setting it to 's0_legacy_key' for backwards compatibility

Should i set a different network key or is this fine?
I did the advanced inclusion with s2 (since it said s0 is the fallback). However it seems i dont even get s0? Or does Secure: no mean s0?

That error message makes it sound like you are using an old version of the addon that doesn’t support S2 keys. Make sure you are up-to-date with version 0.1.45. There should be more key fields, like this from my test system:

“Fallback to Legacy” means it chooses legacy for security actuator devices that don’t support S2. It’s not going to enable S0 on a multisensor, because that isn’t recommended. You have to choose Legacy manually if you want to force it.

“Secure: No” means no security. “Secure: Yes” means S2 or S0, the UI doesn’t distinguish yet.

1 Like

Ok now its starting to clear up.
I am on Current version: 0.1.45 and i see all those fields in the config as well.
However i do not seem to be able to force any device to use s0 nor s2.
Testing with a magnetic door sensor and a multisensor right now. Even when i choose legacy secure inclusion, i get Secure: no

You have to exclude and re-include the device. You’ll be prompted for the device’s DSK if it supports S2.

I have tried that with both the Secure if possible and Secure legacy options. Still dosn’t show up as a secure device. Is the z-stick gen7 known have issues?
The reason i want to use secure is that i live in an apartment with lots of neighbors and offices close by. Any wireless device should be “secure” imo. Also planning on adding some actuator, but before investing in that it is good to know that my setup can support at least s0.

Correcting myself, this means the s0_legacy_key is set, and the network_key is not set. The addon will set network_key because there were issues with other addon releases.

What is the device that is giving you this problem? Did you read the manual on the proper procedure to include it securely?

This is the device, and the manual was extremely brief, basically only mentioned how to include and exlude using the action button.

Actual product description: https://www.kjell.com/se/produkter/smarta-hem/smarta-sensorer/smarta-magnetkontakter/cleverio-z-wave-magnetkontakt-p51113

It’s in swedish but claims to support z-wave plus and s0.

According to the Z-Wave DB, this device does not support security. https://products.z-wavealliance.org/products/1797?selectedFrequencyId=-1

Where do you see that on that page? What property name am i looking for?

Z-Wave Protocol Implementation Conformance Statement.


I’ve found that the DB is not 100% correct, but based on your experience so far, sure sounds like it. None of my door sensors support Security.

Actually I found the device with the same brand name here: