Secure enrollment refers to the process by which a Z-Wave device (typically a Z-Wave lock) and a Z-Wave controller (the Alarm.com compatible system) exchange information about encryption schemes and agree upon a key to use in their communication going forward. Encryption is a technique used in many computer applications to encode a message so that third parties cannot understand or communicate with the parties exchanging information. The message is encoded using an agreed-upon key, which is essentially a string of random numbers that tell the devices where and how to change the message. The device on the receiving end can then use the same key to undo the scrambling operation of the message, allowing comprehension of the message. Without the key, it is virtually impossible to understand what the two parties are saying to each other. In addition to being used in Z-Wave, encryption is used to communicate anything from credit card information to an iTunes password between parties through the internet, among many many other things.
Enrolling a device that requires secure enrollment
Currently, only a subset of all Z-Wave devices support encryption. These include locks and garage door controllers. This way, attackers cannot read a Z-Wave signal to figure out a user's pin code for a lock, and they can't send a message to a garage door controller to open the garage. Though this technique greatly increases the security Z-Wave devices can provide a home, it does add a layer of complication to the installation process. This process is complicated and therefore requires a longer amount of time and an above-average strength Z-Wave network to complete. It is recommended that devices requiring secure enrollment be within 6 feet of the panel during enrollment. After enrollment, Alarm.com notifies on the Z-Wave Equipment List page if a device has failed to complete secure enrollment. If that happens, the two devices cannot communicate, and they must begin secure enrollment again. To begin the secure enrollment process, the device must be removed from the Z-Wave network and re-added.
What is communicated during secure enrollment?
When a secure device is added to the Z-Wave network, the panel and the Z-Wave device communicate the following things:
1. The device supports encrypted communication.
- The device supports a specific type of encrypted communication.
- The panel sends a key to the device to use to encrypt and decrypt messages going forward.
4. The panel and device test that they can both send and receive encrypted messages.
Troubleshooting
If the Secure Enrollment Failed trouble condition appears in the Remote Toolkit, see Secure Enrollment Failed.
If a Z-Wave device is not completing secure enrollment, see Z-Wave device is not completing secure enrollment.