Can I trust MeshCore encryption for sensitive communications?

MeshCore Encryption Summary

MeshCore provides two layers of encryption:

• Channel encryption - AES-128 ECB + HMAC-SHA256 with a key derived from the channel configuration. All nodes on the channel share this key.
• Direct message encryption - ECDH key exchange (Curve25519 elliptic curve) with AES session keys. Only sender and recipient can read DMs.

Cryptographic Strength

Both AES-128 and Curve25519 ECDH are modern, vetted cryptographic primitives used in TLS 1.3, Signal Protocol, and other high-security applications. The underlying cryptography is sound - MeshCore's DM encryption is equivalent in strength to Signal for message confidentiality.

What Encryption Protects Against

• Passive eavesdroppers with LoRa hardware - Cannot read message content with correct key management
• Traffic analysis for DM content - Cannot determine DM message content even with long-term recording
• Replay attacks - Session keys from ECDH provide forward secrecy

What Encryption Does NOT Protect Against

• Physical access to your device - Private keys are stored on the device. Seizure of the device potentially allows recovery of stored messages.
• Compromised network operator - A room server operator can see metadata (who is communicating with whom, when) though not DM content
• Traffic analysis - Observers can see that radio transmissions are occurring, timing patterns, and frequency of communication even if they cannot read content
• Social engineering - If a recipient shares a DM, encryption provides no protection
• Channel key compromise - If the shared channel key is obtained by an adversary, all past channel traffic (if recorded) can be decrypted

Appropriate Use Cases

MeshCore's encryption is appropriate for:

• Community coordination that you'd prefer not to broadcast publicly
• Emergency operations where commercial networks are unavailable
• Private group communications within a trusted community

MeshCore encryption is not appropriate as the sole protection for:

• Communications subject to legal privilege (attorney-client, medical)
• Operational security against nation-state adversaries
• Highly sensitive personal information

For these use cases, use end-to-end encrypted applications (Signal, ProtonMail) with LoRa mesh serving only as a transport layer to reach an internet gateway.