• Documentation
  • Edge Security

Edge Security


EnOS Edge, as part of EnOS, fully complies with the EnOS security standards and protection rules, implementing security control such as the following:

  • Access security
  • Device security
  • Communication security
  • Safe scanning and certification
  • Authority control

Access Security

When accessing EnOS, EnOS Edge supports the following authentication mode to ensure that the device is unique and the identity is legal:

  • One-way authentication based on the key:
    • Static authentication: Each device burns its triple (Product Key, Device Key, and Device Secret). Then after the device is authenticated using the burned triple, the access operation is completed.
    • Dynamic authentication: Devices use Product Key, Product Secret, and Device Key for authentication and access. After passing authentication, EnOS returns Device Secret to the device. In the subsequent access operations, the device uses its triple for authentication.
  • Certificate-based two-way authentication: Support the X.509 certificate service. This means that all communication sessions between EnOS Edge and IoT Hub enforce two-way authentication based on the X.509 certificate.

Device Security

Edge supports encrypting the hardware with TPM chips, which helps to securely store client certificates. The RSA private keys generated by the TPM chip are stored in the TPM chip itself, while the private key tags and public keys are stored in rsa.tss files.


The private keys can never be taken out from the TPM chip. The encrypted files cannot be decrypted except by combining the local TPM chip and rsa.tss files, which ensures a high level of security.


Meanwhile, EnOS Edge supports gateway deployment. And through physical isolation and protocol conversion, the Edge supports one-way transmission control of both hardware and software.

Communication security

EnOS Edge supports many standard industrial communication protocols, most of which ensure data and communication security, such as DDS and OPC protocols.


The OT network connects with the cloud network using the specific firewall. You can set the firewall and the network access control to protect devices and data in the OT network.


Also, the Edge supports VPN (Virtual Private Network). You can establish a virtual private network in public networks, which means data can be encrypted to ensure data security.

Access Control

Edge users’ access permissions can be managed from EnOS Cloud. Log auditing is also provided in Edge. The operations and changes by all users are recorded in the audit logs and uploaded to the cloud.

Safe Scanning and Certification

EnOS Edge has a Nsfocus Security Scan Report and uses Nessus to scan system interface and configuration.


Also, EnOS Edge uses Sonar and Fortify to scan the static code.

Authority Control

Based on RBAC (Role-based Access Control), the multi-to-multi authorization system uses roles to distinguish permissions, persons to link roles, achieving safe authority control for function usage and data access.

  • Account unique: The Edge creates the globally unique identifier for each system user based on the account.
  • Access control: The permission system manages the role and user, achieving access security.