Security & Encryption

MeshCore encryption details

Everything about AES-256 encryption, PSK key management, the security model and per-channel encryption in MeshCore mesh networks

Discover MeshCore โ†’ Read more

How MeshCore secures your data

MeshCore uses AES-256 encryption to secure messages. This is the same military-grade encryption used by banks and governments. Each channel can have its own PSK (Pre-Shared Key) for private communication.

The MeshCore security model is based on symmetric encryption: everyone with the PSK can encrypt and decrypt messages. This is simple but effective for mesh networks where you have a closed group.

In this technical guide we explain how the encryption works, how you manage keys, what security measures exist, and what the limitations are. Understand the security trade-offs before setting up an encrypted network.

Security layers in MeshCore

๐Ÿ”

Channel encryption (AES-256)

Each channel can be encrypted with a PSK. Messages are encrypted before going on the radio. Only nodes with the correct PSK can read.

๐Ÿ”‘

Device-level keys

Each device has a unique device key for admin functions. This prevents random people from reconfiguring your node, even on a public channel.

๐Ÿ›ก๏ธ

Admin channel security

Admin channels always have a separate PSK. Remote configuration is only possible for authorized nodes with the admin key.

AES-256-CTR encryption

MeshCore uses AES-256 in CTR mode (Counter Mode). This is a stream cipher that works efficiently on low-power embedded devices. Each packet gets a unique counter value as initialization vector (IV).

Encryption process:
1. PSK (256-bit) + Packet Counter (IV) โ†’ AES-CTR
2. Plaintext payload XOR encrypted stream โ†’ Ciphertext
3. Ciphertext + Counter sent over radio
4. Receiver: AES-CTR decryption with same PSK + Counter โ†’ Plaintext

The advantage of CTR mode is that encryption and decryption are the same operation (XOR). This is fast on ESP32 chips that have hardware AES acceleration. The 256-bit key is extremely difficult to brute-force (would take billions of years).

PSK key management

Key generation

PSKs are 256-bit (32 bytes) random keys. Usually displayed as base64 or hex string. Generate keys with cryptographically secure random generator, not "password123"!

Key distribution

PSKs must be shared securely with group members. Via QR code, USB configuration, or secure channel. Never send keys via unencrypted radio or public internet.

Key rotation

Change PSK periodically as security best practice. Especially when group members leave. MeshCore supports multiple keys simultaneously for smooth transition.

Default keys

Primary channel often has no PSK (public). Secondary channels usually use custom PSKs. There is a standard "AQ==" key but it's insecure because everyone knows it!

Technical specifications

Parameter Value Description
Encryption algorithm AES-256-CTR Advanced Encryption Standard, 256-bit key, Counter mode
Key length 256 bits (32 bytes) Military-grade security level
IV (Initialization Vector) Packet counter Unique value per packet, prevents replay attacks
Hardware acceleration Yes (ESP32) ESP32 has hardware AES for fast encrypt/decrypt
Performance impact <1 ms per packet Negligible overhead thanks to hardware AES
Forward secrecy No Symmetric key, no PFS like in TLS

Benefits of MeshCore encryption

๐Ÿ”’

Military-grade security

AES-256 is approved by NSA for top-secret documents. Practically unbreakable with current computers.

โšก

Efficient on embedded hardware

Hardware AES on ESP32 makes encryption super fast (<1 ms). No noticeable impact on battery life or latency.

๐Ÿ”€

Per-channel keys

Each channel has its own PSK. Different security levels: public primary, private secondary channels. Flexible per use case.

๐Ÿ› ๏ธ

Easy to configure

Setting PSK is simple: enter one 32-byte key and done. No complex certificate management like with TLS/HTTPS.

๐Ÿ“ก

Transparent for user

Encryption happens automatically. User doesn't notice the encrypt/decrypt process. Messages are simply readable in the app.

๐Ÿ”

Admin channel protection

Admin functions are always encrypted. Prevents attackers from taking over or reconfiguring your node via radio.

Frequently asked questions

Are all messages encrypted in MeshCore?

No, only messages on channels with a PSK are encrypted. The primary channel is often public (no PSK) for general communication. You can make secondary channels private with your own PSK. You choose per channel whether encryption is on.

Can someone intercept and read my messages?

On public channels without PSK: yes, anyone with a MeshCore node can listen. On encrypted channels: no, only people with the PSK can decrypt. LoRa radio is broadcast, so encryption is essential for privacy.

How secure is AES-256 encryption really?

AES-256 is extremely secure. With current computers it would take billions of years to brute-force a key. It's used for classified government data. If your PSK stays secret, your messages are practically unbreakable.

What happens if someone gets my PSK?

Then that person can read and send all messages on that channel. This is the disadvantage of symmetric encryption. So change PSK immediately if you suspect the key has leaked. Only share PSKs via secure channels (not via radio!).

Does MeshCore support end-to-end encryption between individuals?

MeshCore has channel-level encryption, not end-to-end per user. All nodes on an encrypted channel can read each other's messages. For true E2E you would need to build an extra encryption layer on top (possible via plugins).

Does encryption affect range or battery life?

No, negligible impact. Hardware AES on ESP32 is super fast (<1 ms per message). You won't notice any difference in range, speed or battery life between encrypted and unencrypted channels. Encryption is free in terms of performance.

Secure your MeshCore communication

Ready to set up an encrypted mesh network? Choose your device and configure private channels with AES-256 encryption.

View devices Join us