Not your keys, not your hardware

Why you should request AES encryption keys when buying IoT meters and what true ownership means in practice

AES encryption protects your data. But without the keys, you don’t really own the device. This article explains why requesting encryption keys matters when purchasing IoT meters, and how it gives you full control over data, integration, and long-term independence.

It all started with a cipher. In 1997, Belgian cryptographers Joan Daemen and Vincent Rijmen entered a competition held by the U.S. National Institute of Standards and Technology (NIST). Their submission, Rijndael, not only won, it became the basis for what we know today as AES (Advanced Encryption Standard). It was the first publicly available cipher adopted by the U.S. National Security Agency (NSA) for encrypting classified documents.

AES has since become one of the most trusted encryption standards worldwide. Even its “lightest” version, AES-128, is mathematically so strong that brute-forcing it would require 2128 attempts – an astronomical number beyond any real-world threat. At the same time, AES is fast and computationally efficient, which makes it ideal for large-scale use in modern IT and IoT environments.

The weak point of AES? The ownership of the key

Every encryption method has a weak spot. And in the case of AES, it’s the key. It’s the one thing that allows you to encrypt and decrypt your data. If you don’t have access to the key, you don’t have full access to your data either. This is particularly relevant in the IoT world. You may own the physical hardware, but without the AES keys, you depend on whoever holds them. Your data is routed through someone else’s infrastructure, and you have no way to independently verify what’s delivered or who else might access it.

It doesn’t necessarily imply bad intentions. Manufacturers or providers might withhold keys to reduce complexity or manage security risks for less technical users. Still, the result is the same. You lose control over:

  • Your data
  • Your hardware
  • Your choice of service provider

Why owning the AES encryption keys matters

If you do hold the keys, the benefits are substantial. You gain real ownership and control. Here’s what that looks like in practice:

  • Direct access to your data: You can independently verify what your device records and control who can access it.
  • Freedom to integrate and customise: You’re free to connect the device to your own system, extend its functionality or use it beyond the original ecosystem.
  • The ability to switch service providers: You’re not locked into one platform or cloud – change providers when it suits you.
  • Stronger negotiating power: When you hold the keys, you set the terms. Not your vendor.

Holding the keys doesn't mean you're on your own

Prefer a fully managed service? That’s fine too. Owning the keys doesn’t mean you're left alone, just that you have a choice. At ACRIOS, we enable AES encryption (AES-CBC and AES-CTR) across all our devices, including wM-Bus and M-Bus converters. Our customers always have the option to keep the keys for themselves. And if they prefer, we can still manage data collection and delivery for them. It’s entirely up to the user.

How to get AES encryption keys for your IoT hardware

Want encryption on your terms? Here’s what to do:

  1. Check what security options your device supports. AES is the de facto standard. If your hardware doesn’t offer it, look elsewhere.
  2. Ask for the encryption keys at time of purchase. At ACRIOS, we generate keys as a combination of device ID and message sequence number and we can deliver them directly to the customer.
  3. Protect your keys. Key security is everything. Whoever holds the key holds access to your data.

FAQs about owning AES keys

Is AES encryption mandatory?

Not always, but it’s widely adopted and increasingly required by legislation, like the EU Cyber Resilience Act (CRA) or the UK PSTI regulation.

Can I use a device without owning the keys?

Yes, but you’ll be dependent on your provider’s infrastructure, with no independent access or verification.

Do I have to manage everything myself if I hold the keys?

Not at all. You can still use vendor-managed services while retaining ownership. It just gives you more control and flexibility.

Want full control over your encrypted devices? We’ll help you get started. Ask us about our AES-encrypted converters and how you can own the keys. Get in touch.
No items found.
Blog
I will be happy to discuss everything with you.
Lukáš Smetana
CSO
Thank you for your inquiry. We will address it as soon as possible.
Oops! Something went wrong while submitting the form.