How to secure your Zigbee network #

By default your Zigbee network isn’t as secured as possible. The following settings are recommeded to apply to your configuration.

Disable joining #

To disable joining it’s important that permit_join: false is set in your configuration.yaml. Otherwise rogue devices are able to join allowing them to send and receive Zigbee traffic.

Change Zigbee network encryption key #

Changing the network key requires repairing of all devices!

Zigbee2mqtt uses a known default encryption key (Zigbee Transport Key). Therefore it is recommended to use a different one. To use a different encryption key add the following to your configuration.yaml:

Do not use this exact key.

advanced:
  network_key: [7, 3, 5, 7, 9, 11, 13, 15, 0, 2, 4, 6, 8, 11, 12, 13]

The network encryption key size is 128-bit which is essentially 16 decimal values between 0 and 255 or 16 hexadecimal values between 0x00and 0xFF.

If you need to transform your decimals to hexadecimals (or vice versa) please use a converter. Example: 92 (decimal) would become 5C (hexadecimal).

You can generate a valid decimal key with the following command in most linux systems:

dd if=/dev/urandom bs=1 count=16 2>/dev/null | od -A n -t u1 | awk '{printf "["} {for(i = 1; i< NF; i++) {printf "%s, ", $i}} {printf "%s]\n", $NF}'

Please be aware that if you use the Hass.io add-on for zigbee2mqtt only decimal keys are supported.

You can generate a valid hex key with the following command in most linux systems:

dd if=/dev/urandom bs=1 count=16 2>/dev/null | od -A n -t x1 | awk '{printf "["} {for(i = 1; i< NF; i++) {printf "0x%s, ", $i}} {printf "0x%s]\n", $NF}'