As of 2025-10-22, the following information applies to the Z-Wave chip and SDK.

Encryption

By default, the build system encrypts the application firmware update image with a temporary key generated during the first build. The temporary encryption key can be found in temp_keys/ in the root of the build directory.

A custom encryption key can be set using ZWSDK_CONFIG_ENCRYPTION_KEY_PATH.

Secure boot

Secure boot is strongly related to the Readback protection functionality as it relies on some of the same mechanisms.

For activation of secure boot and readback protection, see Activation.

Secure boot executes in two steps:

On power-on-reset or hardware reset, the Boot ROM verifies the bootloader signature and jumps to the bootloader on successful verification.
The bootloader then verifies the application signature and jumps to the application on successful verification.

Signing keys

The first of the above two steps requires two different key pairs:

Private and public root keys, and
Private and public bootloader keys.

The root key pair is used to sign and verify the bootloader public key.

The bootloader key pair is used to sign and verify the bootloader.

The second step requires yet another key pair, but the Z-Wave SDK reuses the bootloader key pair for this purpose. The build system uses the same key pair for signing firmware update images.

The build system takes care of signing the bootloader and the application, and by default, it uses a set of temporary keys located in the same temp_keys/ directory as the temporary encryption key.

Custom root signing keys can be set using:

ZWSDK_CONFIG_PRIVATE_ROOT_SIGNING_KEY_PATH
ZWSDK_CONFIG_PUBLIC_ROOT_SIGNING_KEY_PATH

Custom bootloader (and application) signing keys can be set using:

ZWSDK_CONFIG_PRIVATE_SIGNING_KEY_PATH
ZWSDK_CONFIG_PUBLIC_SIGNING_KEY_PATH

See Build System Customization

Readback protection

Readback protection disables the ability to read from the flash and hence, also disables debugging. However, it is possible to enable flash access and debugging temporarily.

Debugging keys

Debugging or accessing the flash when readback protection is activated requires an additional key pair.

Generate a private key by running:

openssl ecparam -genkey -name prime256v1 -noout -out private_debug_key.pem

Derive a public key from the private key by running:

openssl ec -inform PEM -in private_debug_key.pem --outform DER -pubout -out public_debug_key.der

Activation

Activating readback protection also activates secure boot.

Important: Activation of secure boot and readback protection cannot be undone!

Checklist before activating secure boot and readback protection:

Build with custom keys.
Flash signed bootloader and signed application.
Write the public root key.
- Which tool?
Write the public adac/debugging key.
- Which tool?
Verify the validity of the bootloader signature.
- Which tool?
Set the Lifecycle register.
- Which tool?

Temporary access

Given that readback protection was activated, temporary access can be achieved by performing the following step:

Enable temporary access.
- Which tool?

Trident IoT SDK