Controller Encryption

Encryption for
Controllers
PERPETUAL INNOVATION
User Guide
Lenel OnGuard 2010 Encryption for Controllers User Guide, product version 6.4.
This guide is item number DOC-1200, revision 1.008, March 2010
Copyright 2004-2010 Lenel Systems International, Inc. Information in this document is subject
to change without notice. No part of this document may be reproduced or transmitted in any form
or by any means, electronic or mechanical, for any purpose, without the express written
permission of Lenel Systems International, Inc.
Non-English versions of Lenel documents are offered as a service to our global audiences. We
have attempted to provide an accurate translation of the text, but the official text is the English
text, and any differences in the translation are not binding and have no legal effect.
The software described in this document is furnished under a license agreement and may only be
used in accordance with the terms of that agreement. Lenel and OnGuard are registered
trademarks of Lenel Systems International, Inc.
Microsoft, Windows, Windows Server, and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Integral and
FlashPoint are trademarks of Integral Technologies, Inc. Crystal Reports for Windows is a
trademark of Crystal Computer Services, Inc. Oracle is a registered trademark of Oracle
Corporation. Other product names mentioned in this User Guide may be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Portions of this product were created using LEADTOOLS 1991-2010 LEAD Technologies, Inc.
ALL RIGHTS RESERVED.
OnGuard includes ImageStream Graphic Filters. Copyright 1991-2010 Inso Corporation. All
rights reserved. ImageStream Graphic Filters and ImageStream are registered trademarks of Inso
Corporation.
Encryption for Controllers User Guide
Table of Contents
Chapter 1: Overview ....................................................................7
Why Use Encryption ........................................................................................ 7
Encryption Keys .............................................................................................. 7
Master Key 1 and Master Key 2 ........................................................................................ 7
Master Key Management ................................................................................ 8

Automatic Key Management ............................................................................................. 8
Manual Key Management ................................................................................................. 8
Which form of Key Management to Choose ..................................................................... 9
Firmware Types .............................................................................................. 9

Determine Firmware Type ................................................................................................. 9
Recommendations for Downloading Firmware ............................................................... 10
Flash Chip Size ............................................................................................. 10

Determine Flash Chip Size ............................................................................................. 10
DIP Switch Settings for Encryption ............................................................... 11

Determine DIP Switch Settings ....................................................................................... 11
Recommendations for DIP Switch Settings .................................................................... 11
Master Key Entry ........................................................................................... 11

Random Master Key Generation ..................................................................................... 12
Pass Phrase Entry .......................................................................................................... 12
Manual Key Entry ............................................................................................................ 13
Configuring a Controller for Encryption ......................................................... 13

Changing Master Keys .................................................................................. 14
How Often ....................................................................................................................... 14
revision 1 3
Table of Contents
Segmentation ................................................................................................ 14
Chapter 2: Automatic Key Management Procedures .............15

Setting Up Encryption ................................................................................... 15
Setup Encryption in a New Installation ............................................................................ 15
Setup Encryption in an Existing System/Segment .......................................................... 15
Enable Encryption for Controllers in Encrypted System/Segments ................................ 16
Additional Procedures ................................................................................... 16

Switch to a New Master Key ........................................................................................... 16
Swap Encrypted Controllers in the Field ......................................................................... 16
Disable Encryption .......................................................................................................... 17
Mark an Encrypted Controller Back Online ..................................................................... 17
Move an Encrypted Controller into a Segment ............................................................... 18
Move an Encrypted Controller While Creating an Encrypted Segment .......................... 18
Chapter 3: Manual Key Management Procedures ..................19

Using the Lenel Controller Encryption Configuration Utility .......................... 19
Setting Up Encryption ................................................................................... 19
Setup Encryption in a New Installation ............................................................................ 19
Setup Encryption in an Existing System/Segment .......................................................... 20
Enable Encryption for a New Controller in an Encrypted System/Segment .................... 21
Enable Encryption for an Existing Controller in an Encrypted System/Segment ............ 22
Additional Procedures ................................................................................... 22

Switch to a New Master Key ........................................................................................... 22
Swap Encrypted Controllers in the Field ......................................................................... 24
Disable Encryption .......................................................................................................... 24
Mark an Encrypted Controller Back Online ..................................................................... 25
4 revision 1
Move an Encrypted Controller into a Segment ............................................................... 25

Move an Encrypted Controller While Creating an Encrypted Segment .......................... 25
Chapter 4: Connection Errors & Corrective Steps .................27

Connection Errors ......................................................................................... 27
Controller Does Not Support Encryption ......................................................................... 27
Controller Requires Encrypted Connection ..................................................................... 28
Master Key Mismatch ...................................................................................................... 28
Connection Mismatch ...................................................................................................... 29
Upgrading and Degrading Connections ........................................................ 30

Upgrade Connections ..................................................................................................... 30
Degrade Connections ..................................................................................................... 30
Master Key Updates in Automatic Key Management System/Segments ..... 32

Live Status in Alarm Monitoring and Reported Events .................................. 32
Offline Due to Encryption Problem .................................................................................. 33
Online with a Connection Mismatch ................................................................................ 34
Online with Configured Connection ................................................................................. 34
Index .................................................................................................35
revision 1 5
Table of Contents
6 revision 1
Chapter 1:
Overview
Why Use Encryption

Communications between OnGuard and Lenel access controllers range from
direct serial port connections to TCP/IP connections over local and/or wide area
networks to modem connections over a dial-up network.
If there is a concern that the communication link may not be secure from
unauthorized access, an encrypted connection between OnGuard and the Lenel
access controller can be configured.
Data security for encrypted connections between OnGuard and Lenel access
controllers is provided by the full implementation of the Federal Information
Processing Standard (FIPS), FIPS-197, utilizing the Advanced Encryption
Standard (AES), also known as Rijandael, a symmetric encryption algorithm.
FIPS-197 supersedes the aging Data Encryption Standard (DES) defined in FIPS46-3. Implementation of FIPS-197 solves the data security requirements for these
open network connections by providing a means to secure the data over the nonsecure network by encryption.
Encryption Keys
To encrypt connections, OnGuard implements the Advanced Encryption
Standard (AES). A symmetrical block cipher algorithm, such as AES, requires
that both sender and receiver use the same key. 128-bit keys are used in the
encryption between OnGuard and a Lenel controller.
Master keys are used to encrypt data packets that transfer a session key to the
controller. Master keys are the crux of the encryption process. Both ends of the
connection, the controller and host, must agree on the master key being used to
achieve a connection.
Session keys are used to encrypt any data that is communicated between
OnGuard and Lenel access controllers, except for the transfer of new session
keys. Session keys are automatically generated by OnGuard when a connection is
established with a controller. Session keys are internal to the system and never
exposed.
Master Key 1 and Master Key 2

To maintain smooth system operation, two master keys exist in the system and
controllers; master key 1 and master key 2.
Only one master key, the active master key, is in use at a given time. The other
master key is inactive. When a master key change is desired, the inactive master
key value is first updated in the controllers and in the OnGuard system. Once this
process is complete, the inactive master key is activated. Over the life of an
revision 1 7
1: Overview
installation, master key 1 will sometimes be the active master key and other times
be the inactive master key. This is also true of master key 2.
Important:
It is important to keep master key values secure. These values are shared
secretly between the controllers and OnGuard, and allow an encrypted
connection to be made.
Since the AES algorithm is public, all parties that have access to the key can
encrypt and decrypt the data.
Master key values should not be shared with anybody who is not involved in
their management. They should not be written down or electronically stored
in locations that are not secure.
Master Key Storage

Lenel controllers store master keys in non-volatile EEPROM memory
permanently soldered to the controller circuit board. There is no mechanism
available for obtaining these values from a controller.
Note that controllers come from the factory with factory default master key
values. Once a controller is configured for encryption within the OnGuard
system, these factory default values are replaced.
Master Key Management

Master key values are configured and activated on a system wide basis for nonsegmented installations and on a per segment basis for segmented installations.
Master keys are configured and activated in System Administration on the
Controller Encryption form/sub-tab of the System Options folder or Segments
folder.
Each controller must also be updated with the master key values you configured
in the OnGuard system. You can update the master keys in the controllers using
automatic or manual key management.
Automatic Key Management

With automatic key management, master key values are automatically transferred
from OnGuard to the controllers over the existing connection. When encryption
is first enabled, the master key is transferred over the existing plain
(unencrypted) connection. After encryption is enabled, subsequent transfers are
made over the existing encrypted connection.
Manual Key Management

With manual key management, master key values are manually transferred to
controllers. Manual transfers are performed using a host machine (typically a
laptop computer) that is connected to the controller using a secure, local
8 revision 1
connection such as a short serial cable. The host machine uses the Lenel
Controller Encryption Configuration Utility to transfer master key values.
This means that an administrator must visit each controller to manually transfer
master key values. For more information, refer to the Controller Encryption
Configuration Utility User Guide available on the OnGuard Installation disc.
Which form of Key Management to Choose

Automatic key management is inherently simpler to use and manage than master
key management. Master key updates are made automatically and there is no
need to manually visit each controller to transfer a master key.
However, manual key management is inherently more secure than automatic key
management because master keys are never transferred over a standard (open
network) OnGuard connection.
With automatic key management, a plain connection is used the first time a
master key is transferred to a given controller. An intruder who intercepts this
packet could then use the master key to decrypt the initial packet containing a
session key. This session key could then be used to decrypt the remaining packets
for that session. The master key could also be used to establish a connection with
the controller.
If the automatic key transfer implications discussed above are not of concern,
then automatic key management is the simplest choice. However, organizations
that wish to protect themselves from intruders who may be intercepting packets
at any and all times, will want to use manual key management.
Firmware Types
Controller firmware changes required to support encryption have increased the
firmware size. This firmware cannot be loaded into controllers that contain 128
KB flash chips. There are many controllers in the field that contain 128 KB flash
chips. As such, two versions of firmware are now being released. One set,
referred to as AES firmware, supports encryption. The other set, referred to as
plain firmware, does not. The two sets of firmware are identical in all other
respects, supporting all of the same features.
Either version of firmware can be loaded into a controller with a 256 KB chip
while only plain firmware can be loaded into a controller with a 128 KB chip.
Determine Firmware Type

You can determine the type of firmware a controller has by using the Lenel
Controller Encryption Configuration Utility, Alarm Monitoring, or System
Administration applications. The Lenel Controller Encryption Configuration
Utility displays the firmware revision in the main window. Alarm Monitoring
displays the firmware revision in the System Status window or controller
Properties dialog. Finally, System Administration displays the firmware revision
in the Diagnostics form of the Access Panels folder.
revision 1 9
1: Overview
If the controller contains AES firmware, .aes is shown as part of the firmware
revision, as in 3.054.aes.
Recommendations for Downloading Firmware

Firmware can be downloaded to a controller using OnGuard or the Lenel
Controller Encryption Configuration Utility. It is recommended that you use
OnGuard to download firmware for existing controllers and the utility for new
controllers or hardware swaps.
Flash Chip Size

AES firmware can only be downloaded to controllers with 256 KB chips. All
LNL-2000 panels have 256 KB chips while LNL-1000 and LNL-500 panels
manufactured prior to February 2003 do not; they contain 128 KB chips. Refer to
the following guidelines for replacing chips in these panels:
All LNL-500 panels can have their chips replaced
LNL-500 panels shipped with serial numbers 6352 and higher already have
256 KB chips
LNL-1000 panels with serial numbers above 710 can have their chips
replaced
LNL-1000 panels with serial numbers 710 and below cannot accept a 256
KB chip
LNL-1000 panels with serial numbers 12862 and higher already contain 256
KB chips
Determine Flash Chip Size

In addition to looking at the panels serial number, you can determine the flash
chip size of a panel by using the Lenel Controller Encryption Configuration
Utility, Alarm Monitoring, or System Administration applications. The Lenel
Controller Encryption Configuration Utility displays the flash size in the main
window. Alarm Monitoring displays the flash chip size in controller Properties
dialog. Finally, System Administration displays the flash chip size in the
Diagnostics form of the Access Panels folder.
10 revision 1
Notes:
By default, OnGuard automatically downloads AES firmware to controllers

with 256 KB chips, when a firmware download is requested.
OnGuard automatically downloads plain firmware to controllers with 128
KB chips when a firmware download is requested.
DIP Switch Settings for Encryption

If a controller has AES firmware and DIP switch 8 is ON, the controller requires
an encrypted connection. If a controller has AES firmware and DIP switch 8 is
OFF, then encryption is optional; the host can connect with a plain or encrypted
connection. Thus, turning DIP switch 8 ON is not necessary for encryption but
enhances security by forcing encrypted connections.
Determine DIP Switch Settings

You can determine the current DIP switch settings using the Lenel Controller
Encryption Configuration Utility, Alarm Monitoring, or System Administration
applications. The Lenel Controller Encryption Configuration Utility displays the
DIP switch settings in the main window. Alarm Monitoring displays the DIP
switch settings in the controller Properties dialog. Finally, System Administration
displays the DIP switch settings in the Diagnostics form of the Access Panels
folder.
Recommendations for DIP Switch Settings

It is recommended that DIP switch 8 be turned ON after the initial master key
updates are made for a given controller. In manual key management mode, this
would be after the Lenel Controller Encryption Configuration Utility has been
used to load the initial master keys. In automatic key management mode, this
would be after the controller has been configured for an encrypted connection
and the administrator has verified that an encrypted connection has been
achieved.
Note:
The controller only reads DIP switch settings when it is powered up. If DIP
switch settings are changed, the controller must go through a power cycle
before the changes are recognized in the system.
Master Key Entry

When you change from a plain to an encrypted (automatic or manual) connection
the Master Key Entry dialog displays where you can select the form of master
revision 1 11
1: Overview
key entry. This dialog also displays when you click [Modify] in the Controller
Encryption form/tab in System Administration.
OnGuard supports three forms of master key entry: random master key
generation, pass phrase entry, and manual master key entry.
Note:
For more information about the Master Key Entry dialog, refer to the System
Options Folder or Segment Folder chapter in the System Administration
User Guide.
Random Master Key Generation

This mode of master key entry is the default and the simplest option to select
when the Master Key Entry dialog displays. To use the random master key
generation mode, simply click [OK] when the dialog displays.
Automatically Update the Master Keys

Random master key generation is likely the best option in systems using
automatic key management. Key transfers to the controllers are made
automatically by the OnGuard system. The administrator does not have to be
concerned with the actual master key value.
Manually Update the Master Keys

Random master key generation can be used in manual key management systems,
as well. The export function can be used to export the key so that it can be
manually transferred to the controllers using the Lenel Controller Encryption
Configuration Utility.
For more information on exporting master keys, refer to the System Options
Folder or Segments Folder chapter in System Administration.
Pass Phrase Entry

With pass phrase mode, the administrator enters a phrase or sentence between 1
and 255 characters. The pass phrase is automatically turned into a 128-bit master
key by the OnGuard system.
12 revision 1
Choosing a Pass Phrase Entry

It is strongly recommended that pass phrases be at least 50 characters in length
for security reasons.
Furthermore, a pass phrase should be hard to guess, even by someone who knows
you well, but easy for you to remember. A shocking nonsense phrase is
generally the best; meaning a short phrase or sentence that is odd enough for you
to remember but is illogical and not associated with you.
You may wish to use a pass phrase entry when working with manual key
management systems. Since the pass phrase is easy to remember, there is no need
to write it down or export the resulting master key from the OnGuard system.
You can manually enter it into both OnGuard and the Lenel Controller
Encryption Configuration Utility.
Note:
If a pass phrase is lost, the 128-bit master key that was generated from it can
always be exported from the OnGuard system.
Manual Key Entry

With manual key entry mode, the administrator enters a 128-bit master key. The
value is entered as a 32 digit hexadecimal number such as,
70E6E026E7AA7BD16679D5B9A8F1AF1E.
An administrator may wish to use manual key management if a segment is being
configured for encryption and the administrator wants to use the same keys that
were used in other segments. These keys can be exported from one segment and
manually entered in the new segment.
Configuring a Controller for Encryption

To configure a controller for encryption in OnGuard you need to:
1.
Configure the system/segment configured for encryption.
2.
Configure the Lenel access panel configured for encryption.
These procedures require the proper user permissions which are set on the Access
Control sub-tab of the System Permission Groups form in the Users folder of
System Administration.
Systems are configured for encryption on the Controller Encryption form of the
System Options folder in System Administration. Segments are configured for
encryption on the Controller Encryption sub-tab of the Segments form in System
Administration.
A controller is configured for encryption on the Encryption sub-tab of the LNL2000, LNL-1000, or LNL-500 Access Panels form in System Administration.
revision 1 13
1: Overview
Note:
The system/segment the controller belongs to must first be configured for

encryption in order for the Encryption sub-tab on the Access Panels form to
display.
Changing Master Keys

Master key exposure is extremely low over encrypted connections. The master
key is only used to encrypt an initial session packet in which a random session
key is transferred to the controller. All other packets in a given session are
encrypted using that session key.
How Often
Even installations that wish to protect against an intruder intercepting packets
over a long period of time while trying to break the encryption do not need to
switch master keys often. Every six months or one year is a reasonable time
frame to address such concerns. If this type of attack is not a concern, the master
keys do not need to be changed at all.
Note:
The master key can be switched at any time if there is concern that it has
been compromised.
Segmentation
When a segment is created, all encryption related configuration data is
automatically copied from the source segment to the new segment. This allows
for a smooth operation when encrypted controllers are moved from the source
segment to the new segment. The master key values and active master key
remain the same. Thus, the controllers do not need any updates. If desired, you
can modify the master keys in the new segment after the segment creation
process is completed.
If an encrypted controller is manually moved from one segment to another, the
controller must be updated if the master key values in the two segments differ.
This is handled automatically when the new segment is an automatic key
management segment. If the new segment is a manual key management segment,
the administrator must coordinate the segment move and manually update the
master keys in the controller.
14 revision 1
Chapter 2:

Procedures
With automatic key management, OnGuard is responsible for coordinating the
master key values between controllers and the OnGuard system. Master keys are
loaded/transferred to controllers automatically from the OnGuard system.
Normally, the Lenel Controller Encryption Configuration Utility is not used.
Setting Up Encryption
Setup Encryption in a New Installation
Refer to Setup Encryption in an Existing System/Segment. Be sure to place the
controller online at the end of step 2.
Setup Encryption in an Existing System/Segment

Follow this procedure if you are initially setting up encryption in an existing
system/segment (where the controllers are online with OnGuard using a plain
connection).
This entire procedure is completed in the OnGuard system. You do not need to
visit each controller unless you need to reset DIP switches.
1.
Note:
Configure the system/segment for automatic key management encryption

and generate a value for master key 1.
For more information, refer to Configure Automatic Encryption and Set
Keys in the System Options Folder or Segments Folder chapter in the
System Administration User Guide.
2.
Complete the following for each controller:

a.
Verify each controller has the latest AES firmware. It may be necessary
to first configure the controller (in OnGuard) for a plain connection and
download the firmware. Note that the controller must have a 256 KB
chip before AES firmware can be downloaded.
b.
Verify the controllers DIP switch 8 is OFF.
c.
Configure the controller for an encrypted connection. For more

information, refer to the Access Panels Folder chapter in the System
Administration User Guide.
d.
Dip switch 8 can be turned ON if desired after verification has been

made that an encryption connection has been made.
revision 1 15
2: Automatic Key Management Procedures
Enable Encryption for Controllers in Encrypted System/

Segments
Refer to step 2 in Setup Encryption in an Existing System/Segment on page 15 if
you are introducing a new controller to an encrypted system/segment or you have
an existing controller in an encrypted system/segment that previously used a
plain connection.
Additional Procedures
Switch to a New Master Key
Master key exposure is extremely low over the encrypted connections. The
master key is only used to encrypt an initial session packet in which a random
session key is transferred to the controller. All other packets in a given session
with the controller are encrypted using that session key.
switch master keys very often. Every six months or one year is probably a
reasonable time frame to address such concerns. If this type of attack is not a
concern, the master keys do not need to be changed at all.
With automatic key management, however, note that new master key values are
sent to the controller over the standard access control system connection when
key changes are made. When encryption is first turned on, this is going to be
done over a plain connection. On subsequent key changes, the new keys are
transferred over the existing encrypted connection.
When you want to switch master keys, simply modify the system/segment and
modify the active master key value. By default, a new random key will be
generated. Alternatively, you can use a pass phrase or manual entry. The system
will seamlessly transfer the new master key to all encrypted controllers in the
system/segment (the next time a controller comes physically online if it is
currently physically offline) and switch to an encrypted connection using it.
Swap Encrypted Controllers in the Field

It is sometimes necessary to replace a controller in the field with a new controller.
If the old controller is configured for encryption, the master key values for that
controller must be loaded into the new controller prior to bringing the new
controller online with the OnGuard system. With automatic encryption, that is
impossible. One of two methods can be used to get around this problem;
manually update the master keys or allow OnGuard to automatically transfer the
active master key over a plain connection.
Manually Transfer Master Keys Over an Encrypted

Connection
To temporarily operate in manual key management mode, refer to chapter 3,
Swap Encrypted Controllers in the Field on page 24. This procedure will instruct
16 revision 1
you on how transfer the active master key from the system/segment to the
controller.
Automatically Transfer Master Keys Over a Plain

Connection
To automatically transfer the active master key over a plain connection:
1.
Turn DIP switch 8 OFF at the new controller.
2.
In the OnGuard system, configure the controller for a plain connection.
3.
When the controller comes back online with the OnGuard system, verify that
it has the latest AES firmware. If not, download it.
4.
Configure the controller for an encrypted connection in the OnGuard system.

The system will transfer the active master key and switch to an encrypted
connection with the controller.
5.
If desired, turn DIP Switch 8 ON at the controller.
Disable Encryption
If you want to disable encryption for a controller, segment, or system, make sure
DIP switch 8 is OFF at every controller before disabling encryption. Otherwise,
when encryption is disabled in the OnGuard system, an encryption error occurs.
Mark an Encrypted Controller Back Online

If the controller has only missed a single master key update (and still contains the
other master key), OnGuard will automatically transfer the currently active
master key and switch to a proper connection when you mark an encrypted
controller back online.
If a controller has been marked offline and missed the last two key updates, or
was not configured for encryption when it was last marked online, you need to
manually update the master key or degrade the connection in order for the
controller to come physically back online.
If you believe the controller has only missed a single master key update or you
are uncertain, mark the controller back online and select No when the message
box asks if the next connection can be downgraded.
If the controller remains offline with an encryption error after several minutes, it
must have missed more than one key update. You will need to manually update
the master key or degrade the connection.
Manually Update Master Keys

For more information, refer to the Load or Update Master Keys in the Lenel
Controller Encryption Configuration Utility User Guide, located on the OnGuard
Installation disc.
Degrade a Connection
If you have already marked the controller back online in the steps above, modify
it and select Allow next connection to be downgraded. Otherwise, when the
revision 1 17
2: Automatic Key Management Procedures
controller is marked back online, select Yes when the message box asks if the
next connection can be downgraded. OnGuard will attempt to downgrade the
connection, transfer the currently active master key, and switch to the proper
encrypted connection. If DIP Switch 8 if currently ON at the controller, this may
not be successful. If the controller remains offline with an encryption error after
several minutes, DIP Switch 8 will need to be turned OFF at the controller. Once
OnGuard synchronizes and switches to a proper encrypted connection, DIP
switch 8 can be turned back ON.
Move an Encrypted Controller into a Segment

This procedure applies to encrypted controllers that are moved into an automatic
key management segment.
When a controller configured for encryption is moved to a new automatic key
management segment, it is up to OnGuard to synchronize the master keys in the
controller with the new segment. With that in mind, all you need to do is move
the controller to the new segment in the OnGuard system.
Move an Encrypted Controller While Creating an

Encrypted Segment
When a new segment is created and a source segment selected, OnGuard copies
the encryption values from the source segment into the new segment. Thus, if
controllers are moved from the source segment during the segment creation
process, encryption operations are not impacted for those controllers.
18 revision 1
Chapter 3:

Procedures
With manual key management, the administrator is responsible for coordinating
the master key values between controllers and the OnGuard system. This
involves loading master keys into the controller(s) and configuring OnGuard to
use an encrypted connection with the active master key. Master keys can be
loaded into controllers using the Lenel Controller Encryption Configuration
Utility. Later, if you want to switch keys, you need to visit the controller(s),
update the inactive key, and then configure OnGuard to begin using the new key.
Using the Lenel Controller Encryption Configuration

Utility
For instructions on using the Lenel Controller Encryption Configuration Utility,
refer to the OnGuard Installation disc. The application and manual are located in
an .MSI file, which must be installed. Lenel Or, if the utility is already installed
on a computer, click Start then Programs > Lenel Controller Encryption
Configuration Utility and select either the utility or the user guide.
Setting Up Encryption
Setup Encryption in a New Installation
Follow this procedure if you are initially setting up encryption in a new system/
segment (where none of the controllers are online with the OnGuard system).
For more information, refer to Configure Manual Encryption and Set Keys in
System Options Folder or Segments Folder chapter in the System Administration
User Guide.
1.
Configure the system/segment (in OnGuard) for manual key management

encryption.
2.
Generate a value for master key 1. By default, a random value is generated

for the master key. Alternatively, a pass phrase or manual entry can be
chosen.
Note:
It is recommended that both master keys in the segment be changed from

their default values. If master key 2 is left with its factory default value, this
leaves a potential security hole.
3.
For each controller for which an encrypted connection is desired:
revision 1 19
3: Manual Key Management Procedures
4.
Note:
a.
Physically go to the controller. Start the Lenel Controller Encryption

Configuration Utility and connect to the controller.
b.
Verify the controller has the latest AES firmware. If not, download it.
Note that the controller must have a 256 KB chip before AES firmware
can be downloaded.
c.
Update master key 1 with the value configured (in step 1). If you
modified master key 2, update this key as well. Note that master key
values can be exported from the access control system to a file. The
Controller Encryption Configuration Utility supports loading keys from
a file. To cut down on possible key exposure, a user may alternatively
wish to use a pass phrase that they remember and may not wish to use
the export function.
d.
Turn DIP switch 8 ON if you want to require an encrypted connection.

This is recommended for the tightest security.
e.
Place the controller on its standard connection that will be used in the
access control system.
For each controller updated in step 3:

a.
Configure the controller (in OnGuard) for an encrypted connection.
b.
Place the controller online.
c.
Verify an encrypted connection is achieved.
For more information, refer to Access Panels Folder chapter in the System
Setup Encryption in an Existing System/Segment

Follow this procedure if you are initially setting up encryption in an existing
system/segment (where the controllers are online with OnGuard using a plain
connection).
1.
Configure the system/segment (in OnGuard) for manual key management

encryption.
2.
Generate a value for master key 1. By default, a random value is generated

for the master key. Alternatively, a pass phrase or manual entry can be
chosen.
Note:
It is recommended that both master keys in the segment be changed from

their default values. If master key 2 is left with its factory default value, this
leaves a potential security hole.
3.
Verify each controller has the latest AES firmware. If not, download it. Note
that the controller must have a 256 KB chip before AES firmware can be
downloaded.
4.
For each controller that an encrypted connection is desired:

a.
20 revision 1

Note:
b.
Update master key 1 with the value configured (in step 1). If you
modified master key 2, update this key as well. Note that master key
values can be exported from the access control system to a file. The
Controller Encryption Configuration Utility supports loading keys from
a file. To cut down on possible key exposure, a user may alternatively
wish to use a pass phrase that they remember and may not wish to use
c.
Turn DIP switch 8 ON, if you want to require an encrypted connection.

This is recommended for the tightest security.
d.
Place the controller on its standard connection that will be used in the
access control system.
For more information, refer to the Lenel Controller Encryption

Configuration Utility located on the OnGuard Installation disc.
5.
Note:
For each controller setup/updated for encryption in step 4:

a.
Configure the controller (in OnGuard) for an encrypted connection.
b.
Verify the controller is online an encrypted connection is achieved.
For more information, refer to Access Panels Folder chapter in the System
Enable Encryption for a New Controller in an Encrypted

System/Segment
Follow this procedure if you have a system/segment previously enabled for
encryption and you want to enable encryption for a new controller.
1.

2.
Verify the controller has the latest AES firmware. If not, download it. Note
downloaded.
3.
Load the keys currently configured for the system/segment.
4.
Turn DIP switch 8 ON, if you want to require an encrypted connection.
5.
Connect the controller to the OnGuard system.
6.
Complete the following (in OnGuard) for each new controller:

a.
Configure the controller for an encrypted connection.
b.
Place the controller online.
c.
Verify an encrypted connection is achieved.
revision 1 21
Enable Encryption for an Existing Controller in an

Encrypted System/Segment
Follow this procedure if you have a system/segment previously enabled for
encryption and you want to enable encryption for a controller (that already exists
in that system/segment).
1.
Verify the controller has the latest AES firmware. If not, download it using
the OnGuard system. The controller must have a 256 KB chip before AES
firmware can be downloaded.
2.
Complete the following at each controller:
Note:
a.

b.
The Controller Encryption Configuration Utility window displays. Load

the keys currently configured for the system/segment.
c.
Turn the controllers DIP switch 8 ON, if you want to require an

encrypted connection. This is recommended for tight security.
d.
Reconnect the controller to the OnGuard system.
For more information, refer to the Lenel Controller Encryption

Configuration Utility located on the OnGuard Installation disc and the
Access Panels Folder chapter in the System Administration User Guide.
3.
Complete the following (in OnGuard) for each controller:

a.
Configure the controller in OnGuard for an encrypted connection.
b.
Verify the controller is online an encrypted connection is achieved.
Additional Procedures
Switch to a New Master Key
Master key exposure is extremely low over the encrypted connections. The
Master key is only used to encrypt an initial session packet in which a random
session key is transferred to the controller. All other packets in a given session
with the controller are encrypted using that session key.
switch master keys very often. Every six months or one year is a reasonable time
frame to address such concerns. If this type of attack is not a concern, the master
keys do not need to be changed at all.
The master key can be switched at any time if there is concern that it has been
compromised.
22 revision 1
Activating the Inactive Key without Changing Its Value

The very first time a key switch is made, the administrator may wish to simply
use the master key 2 value that was initially setup in the system and in the
controllers.
Additionally, on subsequent key switches, the administrator may not be
concerned with generating a new key value, but simply may want to switch to the
other master key value previously configured. This may be done if they simply
want to vary the master key value periodically without going to the trouble of
making it unique with each change.
To activate the inactive key without changing its value, the system/segment
simply needs to be modified and the inactive key needs to be made the active key.
All encrypted controllers in that system/segment should remain online with an
encrypted connection.
Updating the Value of the Inactive Key and Making it

Active
The following procedure can be used to switch master keys while using a new
master key value.
1.
If you want the access control system to randomly generate the new key, the
first step is to modify the inactive key value in the access control system/
segment and generate a new random key. Do not activate this key yet.
Alternatively, if you want to use a pass phrase or manually pick a key, the
inactive key value can be updated as the first step, or can be updated later.
Note that the master key values can be exported from the access control
system to a file. The Controller Encryption Configuration Utility supports
loading keys from a file. To cut down on possible key exposure, a user may
also wish to user a pass phrase that they remember and may not wish to use
2.
Important:
Visit each controller configured for encryption and connect it to the

Controller Encryption Configuration Utility. Update the inactive master key.
Do not update the active master key. If this is done, the controller will
remain offline until the configuration change is made in the access control
system to activate that key.
3.
Connect the controller using its standard access control system connection.
The controller should come back online with an encrypted connection using
the currently active master key. Note that if possible, controllers marked
logically offline in the access control system should be updated as well. This
will allow them to easily be marked back online in the future.
4.
After every controller has been updated, activate the inactive key in the
access control system/segment. If the new key value was set in the access
control system in step 1, this is all that is needed. Otherwise, enter the new
key value in addition to making the inactive key is made active. After the
inactive key is made active, the access control system should begin making
encrypted connections to the controllers using the newly activated master
key.
revision 1 23
Swap Encrypted Controllers in the Field

It is sometimes necessary to replace a controller in the field with a new controller.
If the old controller is configured for encryption, the master key values for that
controller must be loaded into the new controller, prior to bringing the new
controller online with the OnGuard system.
For more information, refer to the Lenel Controller Encryption Configuration
Utility located on the OnGuard Installation disc.
Note:
1.
Do not connect the new controller to OnGuard yet.
2.
Start the Lenel Controller Encryption Configuration Utility and connect to

the controller.
3.
Verify the controller has the latest AES firmware. If not, download it. Note
downloaded.
4.
Load both master key values from the system/segment into the new
controller. Note that both key values can be exported from the access control
system into a file (generally on a diskette) and then loaded from that file into
the Lenel Controller Encryption Configuration Utility. Alternatively, you can
memorize a pass phrase to load into the keys.
5.
Connect the new controller to the OnGuard system. It should come online
with an encrypted connection using the current active master key.
If it is not possible for an authorized person to load keys into the new
controller prior to bringing it online, the controller in OnGuard must be
changed to a plain connection and DIP switch 8 must be turned OFF at the
controller. Later, you can establish an encrypted connection by following the
steps in Enable Encryption for an Existing Controller in an Encrypted
System/Segment on page 22.
Disable Encryption
If you want to disable encryption for a controller, segment, or system make sure
DIP switch 8 is OFF at every controller before disabling encryption. Otherwise,
when encryption is disabled in the OnGuard system, an encryption error occurs.
24 revision 1
Notes:
In OnGuard systems, controllers are disabled for encryption on the

Encryption sub-tab of the Access Panel form.
Segments are disabled for encryption on the Controller Encryption sub-tab
of the Segments form.
Systems are disabled for encryption on the Controller Encryption form of the
System Options folder.
Mark an Encrypted Controller Back Online

When it is time to mark an encrypted controller back online, make sure it has the
latest key updates before placing it online. For more information, refer to the
Load or Update Master Keys in the Lenel Controller Encryption Configuration
Utility User Guide, located on the OnGuard Installation disc.
Move an Encrypted Controller into a Segment

Complete these procedures to move an encrypted controller into a manual key
management segment.
Note:
Move the controller to the new segment in the OnGuard system.
If the same values for the master keys are used in all segments, no other
steps are required. If the master key values (1 or 2) are different in the
old and new segment, you need to visit any controller that is being
moved and using the Lenel Controller Encryption Configuration Utility,
transfer the master key values from the new segment to the controller.
These steps can be done in either order. However, once either step is done,
the controller will be offline with a controller encryption error - master key
mismatch, until the other step is done.
Move an Encrypted Controller While Creating an

Encrypted Segment
When a new segment is created and a source segment selected, OnGuard copies
the encryption values from the source segment into the new segment. Thus, if
controllers are moved from the source segment during the segment creation
process, encryption operations are not impacted for those controllers.
revision 1 25
26 revision 1
Chapter 4:
Connection Errors & Corrective

Steps
This chapter provides controller encryption errors that may occur, an explanation
of what the error means, steps to correct the error, as well as situations that would
cause the error.
Connection Errors
There are three types of connection errors that can occur: the controller does not
support encryption, the controller requires an encrypted connection, and a master
key mismatch. When any of the errors occur, OnGuard may still be able to
connect with a connection mismatch (that is either an upgraded or downgraded
connection). For more information refer to Connection Mismatch and Upgrading
and Degrading Connections on page 30.
Controller Does Not Support Encryption

A controller encryption error stating the controller does not support encryption
occurs when the controller is configured for encryption in OnGuard but does not
have AES firmware.
In this situation, a connection cannot be made without compromising security. By
default, OnGuard will not attempt to make a different type of connection.

In automatic key management segment/systems, however, the administrator can
individually configure controllers to attempt degraded connections by selecting
the Allow next connection to be downgraded check box in the Access Panels
Folder, Encryption sub-tab of System Administration. This can be useful for
physical hardware swaps or when a controller has been marked logically offline
and does not have the latest master key updates. For more information refer to the
Access Panels Folder chapter in System Administration.

In manual key management system/segments, you can either configure the
controller for a plain connection or manually update the controller to support
encryption (download AES firmware to the controller using a plain connection
and then transfer the master keys). The most secure way to operate is to manually
update the controller.
If a manual key management system/segment is not configured to allow
downgraded connections, the controller will remain offline in an error state, until
the error is corrected.
If a manual key management system/segment is configured to allow downgraded
connections, you may also get a controller connection mismatch error stating that
revision 1 27
4: Connection Errors & Corrective Steps
the system degraded to a plain connection due to no controller encryption

support.
Controller Requires Encrypted Connection

A controller encryption error stating the controller requires an encrypted
connection occurs when a controller is configured for a plain connection in the
OnGuard system, but the controller requires encryption (has AES firmware and
DIP switch 8 is ON).
To correct this problem, you can either configure the controller for encryption or
disable the encryption requirement by setting DIP switch 8 OFF at the controller.
This error occurs when:
A new a controller is configured for a plain connection, but the controller

requires encryption (has AES firmware and DIP switch 8 is ON)
An encrypted controller is online with an encrypted connection, but the

administrator changes the configuration to a plain connection.
A controller is configured for a plain connection and is currently online with

a plain connection. Then, a physical controller swap is made where the new
controller requires encryption.
A controller that supports encryption is configured for a plain connection

and is currently online with a plain connection. Then, DIP switch 8 is turned
ON.
Notes:
In each of these cases, OnGuard tries to upgrade to an encrypted

connection. If the system is able to bring the controller online, a connection
mismatch is reported. Security is not compromised since an encrypted
connection even with a factory default master key is no less secure than the
configured plain connection.
If none of the master keys exist in the controller, the controller remains
offline with a connection error. This includes the currently active master key
in the system/segment, the currently inactive master key in the system/
segment, and the default master keys.
Master Key Mismatch

A controller encryption error with master key mismatch means the controller is
configured for and supports encryption, but the active master key value in
OnGuard does not match the value in the controller. OnGuard will attempt to
downgrade the connection only if downgraded connections are allowed in the
configuration.
To correct this problem, update the master key values in OnGuard or controller.
Manual Key Management System/Segments

In manual key management systems/segments, master key mismatch errors occur
when:
28 revision 1
The master key loaded into the controller and OnGuard do not match.
The wrong master key (1 or 2) is updated in OnGuard or the controller.
A new master key is activated in the OnGuard system, but the controller is
not updated.
The active master key is updated in OnGuard and the controller is placed
back on the standard OnGuard connection without OnGuard being updated.
Encryption is enabled for a controller (in a segment) prior to loading the

master keys into that controller.
A physical controller swap is made where the new controller supports

encryption (like the old controller) but the master key values were not loaded
into the new controller.
An encrypted controller does not receive master key updates while it is

offline. When the controller is marked back online, a connection problem
occurs.
Notes:
If the manual key management system/segment is configured to allow

downgraded connections, the system/segment attempts to degrade the
connection. If successful, the system/segment reports a connection mismatch
error with details that depend on the type of connection that was made.
If a manual key management system/segment is not configured to allow
downgraded connections, the controller will remain offline in an error state,
until the error is corrected.
Automatic Key Management System/Segments

In automatic key management segments, master key mismatch connections are
automatically corrected, whenever possible. If a controller continues to have a
master key mismatch error, it is because OnGuard has not tried to degrade the
connection or the controller does not contain the inactive master key or factory
default master key (1 or 2).
To correct this problem, configure the controller to allow the next connection to
be downgraded, and/or set DIP switch 8 OFF at the controller. When OnGuard
achieves a degraded plain connection, it will automatically correct the connection
by transferring the active master key to the controller and switching to an
encrypted connection with the active master key. At this point, DIP switch 8 can
be set ON, if desired.
This situation occurs when:
A physical controller swap is made with a new controller that supports

encryption but does not have the proper master keys loaded into it.
An encrypted controller was marked logically offline when master key

updates were made. Therefore, the controller does not have the latest key
updates. If it is marked back online, the keys will not match.
Connection Mismatch
A connection mismatch error means a connection was made between the
controller and the OnGuard system, however the connection was made by
upgrading or downgrading the connection. For more information, refer to
Upgrading and Degrading Connections on page 30.
revision 1 29
To correct this problem, both OnGuard and the controller must agree on the type
of connection that is to be made (encrypted with the same master key or plain).
Notes:
If a controller is online with a connection mismatch error and the system/

segment is then changed so that downgraded connections are not allowed,
the system drops the degraded connection and displays a master key
mismatch error if the original problem was a key mismatch. However, if the
original problem was that the controller does not support encryption, the
controller will return to that error.
If the system upgrades the connection (due to the controller requiring
encryption), then changing the degraded connections setting has no bearing.
Turning it on or off does not change the system status.
Upgrading and Degrading Connections

Each time a connection error occurs, OnGuard tries to upgrade or degrade the
connection regardless of how the error occurred. In order for the system to
degraded connections, it must be configured to allow downgraded connections.
Automatic key management systems/segments are configured to allow
downgraded connections on an individual controller basis. Manual key
management systems/segments are configured to allow downgraded connections
on a system/segment wide basis. No special configurations are required for
upgrading connections.
Upgrade Connections
Upgraded connections are always attempted when a controller requires
encryption but has been configured in OnGuard for a plain connection.
System/segments attempt upgraded connections in the following order:
1.
If the system/segment is configured for encryption, an upgraded connection

is attempted using the current active master key.
2.
If the system/segment is configured for encryption, an upgraded connection

is attempted using the current inactive master key.
3.
An upgraded connection is attempted using the factory default value for

master key 1.
4.
An upgraded connection is attempted using the factory default value for

master key 2.
Degrade Connections
Degraded connections are attempted when there is a connection error due to a
controller not supporting encryption or due to a master key mismatch.
30 revision 1
Notes:
Manual key management system/segments must be configured to allow

downgraded connections for the system/segment to degrade a connection.
Individual controllers in automatic key management system/segments must
be configured to allow downgraded connections for the system/segment to
degrade a connection.
System/segments attempt degraded connections in the following order:

1.
A degraded connection is attempted using an encrypted connection with the

inactive master key.
2.

factory default value for master key 1.
3.

factory default value for master key 2.
4.
If the controller does not require an encrypted connection, a degraded

connection is attempted using a plain connection.
Manual Key Management System/Segments

For manual key management system/segments, encryption degradation is
configured on a system/segment wide basis. This option should not be heavily
used; it reduces the security that manual key management provides. However, an
administrator may choose to use this option when initially setting encryption up
to ensure smooth operation while becoming familiar with the process. An
alternative to using this option is to temporarily change the configuration (for a
controller having problems) in OnGuard from an encrypted connection to a plain
connection.
Automatic Key Management System/Segments

For automatic key management systems/segments, encryption degradation is
configured on a per controller basis in the Encryption sub-tab of the Access
Panels form in System Administration. When degradation is allowed, it is
automatically cleared when the system gets the controller online. This is because
in automatic key management, once the controller does come online over a
degraded connection, the system automatically downloads the current active
master key to the controller and switches to the proper configured encrypted
connection (unless the controller does not contain AES firmware). Thus,
configured degradation is only used for the next connection with the controller.
Note:
In automatic key management system/segments, when encryption is first

enabled for a controller, the system automatically configures the controller
for a downgraded connection. This is because the active master key must be
downloaded to the controller prior to the encrypted connection being
achieved.
revision 1 31
Master Key Updates in Automatic Key Management

System/Segments
In automatic key management system/segments, OnGuard automatically
transfers the active master key when encryption is first enabled on a given
controller or whenever a master key change is made at the system/segment level.
Between the time the configuration change is made and the new master key is
successfully transferred to a given controller, the previous connection is kept
with that controller. During this time, the system indicates there is a pending key
update for the controller on the Encryption tab of the LNL-2000, LNL-1000, or
LNL-500 Access Panel tab (in System Administration). This status can also be
seen in the controllers Properties dialog in Alarm Monitoring. The Master Key
Update Pending field displays with a value of True.
For a controller that is currently online, the key transfer process normally
completes within seconds. For a controller that is currently offline, the key
transfer process waits until the next time the controller comes online.
If there are pending master key updates for any controllers configured for
encryption and marked logically online in an automatic key management system/
segment, any subsequent master key modifications are disallowed by the system.
The previous update must complete before a subsequent update can be done.
Live Status in Alarm Monitoring and Reported Events

Alarm Monitoring indicates the following encryption related statuses:
Note:
Whether the current connection to a Lenel controller is plain or encrypted.

This is indicated via separate icons on the system status and map views as
well as through additional text that can be viewed in the Properties dialog
(right-clicking a Lenel controller and selecting Properties). For more
information, refer to Online with Configured Connection on page 34.
Operators must have permission to view encryption information, otherwise

the standard icon for a plain connection displays in Alarm Monitoring
regardless of the type of connection used.
Whether a controller is offline due to an encryption problem. This is

indicated via separate icons on the system status and map views, as well as
reported events, current device status text, and through additional text that
can be viewed in the Properties dialog.
Whether a controller is online but the current connection does not match the
configured connection. This is indicated via separate icons on the system
status and map views, as well as reported events, current device status text,
and through additional text that can be viewed in the Properties dialog.
The following icons display in the System Status window and as default state
icons in the map view for the access controller group:
32 revision 1
Indicates the access controller is online with a plain connection or, the
access controller is online and the user is not allowed to know whether the
connection is plain or encrypted.
Indicates the access controller is online with an encrypted connection.
Indicates the access controller is online but the current connection does
not match the configured connection.
Indicates the access controller is offline due to a standard connection

problem.
Indicates the access controller is offline due to an encryption problem.
Indicates the dialup access controller is online with a plain connection

or, the dialup access controller is online and the user is not allowed to know
whether the connection is plain or encrypted.
Indicates the dialup access controller is online with an encrypted

connection.
Indicates the dialup access controller is online but the current

connection does not match the configured connection.
Indicates the dialup access controller is offline due to a standard

connection problem.
Indicates the dialup access controller is offline due to an encryption

problem.
Offline Due to Encryption Problem

If a controller is offline due to an encryption problem, Alarm Monitoring does
the following, in addition to showing the proper icon:
Alarm Monitoring displays an encryption error in the current device status

for the controller.
A controller encryption error event is reported. Associated text in the event

indicates the details of the error.
If the controllers Properties dialog is brought up in Alarm Monitoring, the

details of the error can also be viewed.
The details of the error will be one of the following:
Controller requires an encrypted connection - indicates a plain

connection has been configured but the controller requires an encrypted
connection.
Controller does not support encryption - indicates an encrypted

connection has been configured but the controller does not support
encryption.
Master key mismatch - indicates the master key configured in OnGuard

does not match the key that is in the controller
revision 1 33
Online with a Connection Mismatch

OnGuard only attempts to get a controller online with a non-configured
connection if the controller is configured to allow the next connection to be
downgraded (in automatic key management system/segments) or the system/
segment is configured to allow downgraded connections (in manual key
management system/segments).
When a controller is online, but the connection was degraded and thus does not
match the configured connection, Alarm Monitoring does the following in
addition to showing the proper icon:
Displays encryption connection mismatch in the current device status for

the controller.
Reports a controller connection mismatch event. Associated text in the event

indicates the details of the mismatch.
If the controllers Properties dialog is brought up in Alarm Monitoring, the

details of the mismatch can seen and will be one of the following:
Degraded to plain connection due to master key mismatch - indicates an

encrypted connection was configured but could not be achieved due to a key
mismatch. OnGuard degraded to a plain connection to get the controller
online.
Degraded to plain connection due to no controller encryption support indicates an encrypted connection was configured but could not be achieved
because the controller does not support encryption. OnGuard degraded to a
plain connection to get the controller online.
Controller requires an encrypted connection - indicates a plain

connection was configured, but the controller requires an encrypted
connection. OnGuard was able to get the controller online by using an
encrypted connection.
Encrypted with inactive master key due to active master key mismatch indicates an encrypted connection was configured but could not be achieved
with the current active master key due to a key mismatch. OnGuard was able
to get the controller online by using the inactive master key.
Encrypted with default master key due to active master key mismatch indicates an encrypted connection was configured but could not be achieved
with the current active master key due to a key mismatch. OnGuard was able
to get the controller online by using the factory default master key.
Online with Configured Connection

When the controller is online with the configured connection, Alarm Monitoring
displays the proper icon to indicate whether the current connection is plain or
encrypted, as long as the operator has permissions to view this information.
Otherwise, the standard icon used for a plain connection will be used.
If the controllers Properties dialog is brought up and the operator has
permissions to view encryption information, the Connection Type field will
indicate the type of connection (encrypted or plain). If the operator does not have
permissions to view encryption information, the Connection Type field does not
display.
34 revision 1
Index
A
Automatic key management .......................... 8, 12
Automatic key management errors ..................... 29
C
Changing master keys .........................................
how often .....................................................
Choosing a pass phrase entry..............................
Configuring a controller for encryption..............
Connections
mismatch error .............................................
Controller does not support encryption ..............
Controller requires encrypted connection...........
14
14
13
13
29
27
28
Master key mismatch .......................................... 28

Move encrypted controllers
into a segment ....................................... 18, 25
while creating encrypted segment ........ 18, 25
P
Pass phrase entry................................................. 12
R
Random master key generation........................... 12
Recommendations
DIP switch settings ...................................... 11
downloading firmware................................. 10
DIP switch settings ............................................. 11

Disable encryption ....................................... 17, 24
Segmentation ......................................................
enable encryption for existing controller.....
enable encryption for new controller in
new segment .........................................
Setting up encryption ................................... 15,
existing system/segments ..................... 15,
new installations ................................... 15,
Swap encrypted controllers in the field ....... 16,
Switch to a new master key ................................
E
Enable encryption
existing controller in encrypted system ....... 22
existing controller in system/segment ......... 15
new controller in encrypted system ...... 16, 21
Encryption keys .................................................... 7
Errors
connection mismatch ................................... 29
controller does not support encryption ........ 27
controller requires encrypted connection..... 28
Master key mismatch................................... 28
14
22
16
19
20
19
24
16
W
Which form of key management to choose .......... 9
Why use encryption .............................................. 7
F
Firmware types ..................................................... 9
Flash chip size..................................................... 10
L
Lenel Controller Encryption Configuration
Utility........................................................... 19
M
Manual key entry ................................................ 13
Manual key management ............................... 8, 16
Manual key management errors.......................... 28
Mark an encrypted controller back online ... 17, 25
Master key
management................................................... 8
mismatch error ............................................. 28
storage............................................................ 8
Master Key Entry dialog..................................... 11
revision 1 35
Lenel Systems International, Inc.

1212 Pittsford-Victor Road
Pittsford, New York 14534 USA
Tel 585.248.9720 Fax 585.248.9185
www.lenel.com
docfeedback@lenel.com

Controller Encryption

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Controller Encryption

Uploaded by

Copyright:

Available Formats

Encryption for

Encryption for Controllers User Guide

Master Key Management ................................................................................ 8

Firmware Types .............................................................................................. 9

Flash Chip Size ............................................................................................. 10

DIP Switch Settings for Encryption ............................................................... 11

Master Key Entry ........................................................................................... 11

Configuring a Controller for Encryption ......................................................... 13

Chapter 2: Automatic Key Management Procedures .............15

Additional Procedures ................................................................................... 16

Chapter 3: Manual Key Management Procedures ..................19

Additional Procedures ................................................................................... 22

Encryption for Controllers User Guide

Move an Encrypted Controller into a Segment ............................................................... 25

Chapter 4: Connection Errors & Corrective Steps .................27

Upgrading and Degrading Connections ........................................................ 30

Master Key Updates in Automatic Key Management System/Segments ..... 32

Encryption for Controllers User Guide

Why Use Encryption

Master Key 1 and Master Key 2

Master Key Storage

Master Key Management

Automatic Key Management

Manual Key Management

Encryption for Controllers User Guide

Which form of Key Management to Choose

Determine Firmware Type

Recommendations for Downloading Firmware

Flash Chip Size

All LNL-500 panels can have their chips replaced

Determine Flash Chip Size

Encryption for Controllers User Guide

By default, OnGuard automatically downloads AES firmware to controllers

DIP Switch Settings for Encryption

Determine DIP Switch Settings

Recommendations for DIP Switch Settings

Master Key Entry

Random Master Key Generation

Automatically Update the Master Keys

Manually Update the Master Keys

Pass Phrase Entry

Encryption for Controllers User Guide

Choosing a Pass Phrase Entry

Manual Key Entry

Configuring a Controller for Encryption

Configure the system/segment configured for encryption.

Configure the Lenel access panel configured for encryption.

The system/segment the controller belongs to must first be configured for

Changing Master Keys

Encryption for Controllers User Guide

Automatic Key Management

Setup Encryption in an Existing System/Segment

Configure the system/segment for automatic key management encryption

Complete the following for each controller:

Verify the controllers DIP switch 8 is OFF.

Configure the controller for an encrypted connection. For more

Dip switch 8 can be turned ON if desired after verification has been

2: Automatic Key Management Procedures

Enable Encryption for Controllers in Encrypted System/

Swap Encrypted Controllers in the Field

Manually Transfer Master Keys Over an Encrypted

Encryption for Controllers User Guide

Automatically Transfer Master Keys Over a Plain

Turn DIP switch 8 OFF at the new controller.