Security Z-Wave

how to choose the encryption mode for the wave. before it was possible to select when switching on the device to the network between none, S0, S2 . and now? Hubitat Elevation® Platform Version
2.2.8.156

Version 2.2.8 changed the Z-Wave pairing process a bit. If a device supports S2, it will now proceed with either the default selections (which should be exactly what the device supports), or there is a "Skip" button you can use to include without security. So, if that's what you're going for, that button should work. In many cases, this should work the same as it did before; you won't be able to "downgrade" the pairing to just S2 Unauthenticated if it supports S2 Authenticated (or S2 Access Control), for example, and you won't be able to choose only S0 (generally a bad idea, particularly when your device supports S2--which it does if you see this prompt), but other than that, the end result should be what most people want.

What still isn't possible--but never was on the C-7 hub--is pairing an S0-only device without S0 if the device itself doesn't have a separate "non secure" pairing method. (The Zooz 4-in-1 ZSE41, various Monoprice sensors, and original-firmware Inovelli bulbs are some products I can think of where this applies.) Version 2.2.8 did not change this behavior, and the best way to include such devices is by using a secondary controller (e.g., a USB stick with Z-Wave PC Controller).

It's not clear me what your goals are or if you're having a specific problem. In that case, it may be best to explain what you're doing. Otherwise, hopefully this at least explains the changes you see!

4 Likes

everything is very simple. I am now actively working on associations in the z-vave network. associations only work if both devices send messages with the same encryption. for example, everything is at S0. or without it at all. but not all devices can S2. therefore it is necessary to lower the encryption level sometimes.

I tried "skip", the device still encrypts in S2.

Avoid s0 at all costs. It's extremely chatty and will slow things down. As stated above the zooz 4-in-1 is a particular issue with this and can even crash your mesh. Most people only encrypt locks and garage door openers. Beyond that it's really not necessary (I mean, if someone were to sit outside your home and sniff z-wave stuff, what would they see? A light turning on? Your neighbor will know you turned on that light without a sniffer).

5 Likes

This isn't entirely true. Association does require devices to be paired with the same "levels" (grants), but it is not just the highest grant that matters. For example, nearly every device that supports some form of S2 also supports S0. It's quite likely that, for example, a dimmer you paired with S2 Authenticated as the highest grant also had S2 Unauthenticated and S0 selected (in 2.2.7; you can't see this in 2.2.8, but if it was selected by default before, it would have continued to work that way now). Let's say you have an S2 Unauthenticated remote that you want to use with this dimmer (and that both devices support Z-Wave Association). That should work as-is. The "maximum" grant matters only for communication with the hub, and everything else should work with Association if the device was granted it during pairing.

Note that the Z-Wave Details page shows you only the highest grant, which in my example above would be S2 Authenticated. To see all of them, there isn't an easy way, but you can de-code the "S2" value under "Device Details" on the device page to figure out more. I can't find the post now, but I'm pretty sure staff posted a link to the Z-Wave command class spec with what the various bits mean (I do recall offhand that "S2: 128" is S0 only).

Regardless, I'd definitely heed the advice above to avoid pairing devices as S0-only if you can avoid it. But again, as long as the S2 device can support S0, it shouldn't matter even if you pair it to the hub with S2--again, the maximum grant applies only for hub-based communication, and Association is precisely where the others (may) come into play. (Which also means that in 2.2.7 and earlier, you don't need to panic and un-select "S0" from the pairing dialog if you've kept the default S2 options selected--a misinterpretation of the advice above that I've seen some people suggest--but that's another story.)

on the innovation support site they think differently:
[HOW-TO] Using the Z-Wave Association Tool in Hubitat - Sorting Category - Inovelli Community

1:
the one on the right shows zwaveSecurePairingComplete: true. You can check Z-Wave Details to see if it’s S0 or S2 for the devices (middle or right column). These two will have problems communicating unless they’re both set for None, S0 or S2. I would recommend excluding the device on the right, and pairing with no security. Then try your associations again.

2:
With the newer C7 firmware, it should be somewhat stable, but I noticed some of my further devices were still adding with no security vs. S2. I went ahead and made most (still need to run through some) set to no security. I was deselecting all the checkboxes when it prompted me for security associations.

The bulbs don’t support S2, so IF you plan on using associations to control the bulbs, you’ll need to set those switches as no security or S0 (assuming your bulbs join as S0). If the bulbs and switches are not set the same, it won’t control the smart bulbs as intended.

and somewhere else there was a recommendation from the developers that the degree of protection should be the same.

I tried, add a device without protection, but it didn't work for me, it still turned out S2

This is not consistent with what Hubitat staff like @bcopeland have said for Hubitat, and I believe that the quote above is a misunderstanding on the part of that Inovelli community member (like this forum here, it is largely posted on by community members--regular users like you and me). Are you dealing with an Inovelli dimmer and an Inovelli bulb? The Inovelli dimmers should work fine as long as you keep S0 also selected (even if they use S2 for the hub itself), though unfortunately, firmware 2.2.8 took away the ability to see that. You can still "un-mask" the "S2" value in your "Device Details" section on the device page to determine how it paired after the fact (post it here and someone can do it for you). This would be necessary since the bulbs only support S0.

But again, I'd avoid pairing the bulbs (or anything you can avoid it on) with S0 at all, and in that case you would indeed need to pair both the dimmer and the bulb without security to make it work. To pair the bulb without security, you'll need a secondary controller or updated bulb firmware (this much hasn't changed in 2.2.8). The dimmer should let you do it without security if you skip, but I have heard occasional problems with that, and I'm not sure what the resolution might be except working fast (don't let it run into any internal timeouts Is the idea) or waiting for the next hub update (might be a fix). Or this case, since you have that secondary controller, just use it for the dimmer too. :slight_smile:

If this isn't the actual hardware you're dealing with, posting more information about that may help. Good luck!

2 Likes

Download the Hubitat app