Skip to content

Add AES authentication and encryption

To control access to readers and protect host-reader communication, we recommend you set up authentication and encryption. This allows you to manage a host application's access permissions, require the host to authenticate with the readers, and establish an encrypted connection. For non-Ethernet readers, we recommend you implement authentication and encryption based on the Advanced Encryption Standard (AES). Our readers support the variant AES-128.


  • BALTECH tools such as ToolSuite currently do not support AES, i.e. you can no longer use them for testing or maintenance as soon as readers are configured for AES authentication and encryption.

  • For Ethernet readers , we recommend PKI authentication and encryption instead of AES. If you do prefer to use AES, please order a custom configuration from us.

Concept of "security levels"

So that you can grant different permissions to different applications, we use the concept of "security levels": To each level, you assign its own encryption key and an individual set of permissions. For example, one level may include full access to cards and control over I/O ports, while another level may only include read access to cards.

How many security levels do I need?

You can define up to 3 security levels. However, if you only have 1 application, or want to give the same permissions to all applications, you only need to define 1 security level.

Are security levels based on each other?

No, each security level is defined individually, i.e. permissions you want to assign to multiple levels must be explicitly added to each of them. An exception is level 3: It is automatically assigned full permissions.

Plain communication

In general, all plain communication is blocked once a reader is configured for AES authentication and encryption. However, there are certain operations that can still be performed via plain communication:

  • Retrieve reader info, e.g. firmware version or boot status
  • Custom exceptions, e.g. factory reset via USB HID and RS-232/UART, or other execeptions you can define for individual host protocols
Diagram: The concept of security levels when configuring a BALTECH reader for AES encryption and authentication


Configure the readers

To define security levels and corresponding keys as well as custom exceptions for plain communication, add the component AES Authentication and Encryption to your configuration.

Establish connection

You can now establish an authenticated and encrypted connection from your host application, specifying the number and encryption key of the respective security level.