MeshCore Security and Encryption

MeshCore ~~encrypts~~uses ~~all~~a ~~message~~layered ~~payloads~~cryptographic ~~using~~system ~~AES-256-CTR.~~verified ~~Understanding~~from ~~how~~the project's source code. All claims on this ~~works~~page ~~helps~~are ~~you~~sourced ~~make~~from ~~informed~~src/Utils.cpp, ~~decisions~~src/MeshCore.h, ~~about~~and ~~what~~src/Identity.h ~~to transmit over~~in the ~~mesh~~official ~~and~~MeshCore ~~how to configure private channels.~~repository.

WhatSymmetric is encryptedEncryption

~~All~~Algorithm: ~~direct messages~~AES-128 (~~DMs):~~ECB ~~Encrypted end-to-end~~mode with ~~AES-256-CTR.~~zero-padding ~~Only~~for the ~~sender~~final block)

Key size: 16 bytes (CIPHER_KEY_SIZE = 16) The shared AES key is derived via ECDH (see below)

Message Authentication

MAC: HMAC-SHA256 truncated to 2 bytes (CIPHER_MAC_SIZE = 2) Scheme: Encrypt-then-MAC — the ciphertext is MACed, not the plaintext Functions: encryptThenMAC / MACThenDecrypt

Key Exchange

ECDH via X25519 — Ed25519 identity keys are transposed to X25519 for Diffie-Hellman key exchange (calcSharedSecret in Identity.h) The resulting shared secret is used as the AES-128 key for the session

Identity and recipientSigning

~~can~~

~~decrypt~~Identity ~~them.~~keys: Ed25519 Public key size: 32 bytes (PUB_KEY_SIZE = 32) Private key size: 64 bytes (PRV_KEY_SIZE = 64) Signature size: 64 bytes (SIGNATURE_SIZE = 64) ~~Channel~~Advertisements ~~messages:~~are signed ~~Encrypted~~ with ~~the channel’s shared key. Anyone with the channel key can decrypt them.~~ ~~Routing credentials:~~ ~~The public keys used for path discovery are public by design — repeaters need them~~Ed25519 to ~~route~~prevent ~~messages.~~node identity spoofing

What isThis NOTMeans encryptedin (by design)Practice

~~Advertisements:~~Messages ~~Broadcast~~between intwo ~~cleartext~~MeshCore sonodes ~~any~~use ~~node~~a ~~can~~unique ~~discover~~AES-128 ~~repeaters.~~key ~~Contains~~derived ~~node~~from ~~name,~~their ~~ID,~~ECDH ~~and~~exchange ~~optionally~~— ~~position.~~no shared secret needs to be pre-distributed
~~Route~~The ~~requests/replies:~~2-byte ~~Cleartext~~HMAC toprovides ~~enable~~integrity ~~routing~~checking by(detects ~~intermediate~~tampering) ~~nodes~~with ~~that~~low ~~don’t have the message key.~~overhead
Node ~~IDs~~identities inare ~~packet~~cryptographically ~~headers:~~verified ~~Must be visible to routers for forwarding.~~

~~This means: if~~— a node ~~has~~cannot ~~GPS~~impersonate ~~enabled~~another ~~and flood advertisements configured, its approximate location and identity are visible to anyone who can receive its radio transmissions. This is intentional — it’~~node's ~~what~~public ~~makes~~key ~~network~~

Channel/group ~~maps~~messages ~~and repeater discovery work. Configure accordingly if location privacy is important.~~

AES-256-CTR in practice

~~Counter (CTR) mode converts AES into~~use a ~~stream~~shared ~~cipher.~~symmetric ~~Each packet has a unique initialization vector (IV)~~key derived from the ~~sender’s~~channel ~~identity, sequence number, and timestamp. Key properties:~~

~~No padding required:~~ ~~Messages of any length are encrypted without adding bytes, keeping packets small.~~ ~~Parallelizable:~~ ~~Encryption and decryption can run in parallel, important on low-power MCUs.~~ ~~Nonce reuse is catastrophic:~~ If the same IV is used twice with the same key, both messages can be decrypted by an attacker. MeshCore’s sequence number + timestamp IV generation is designed to prevent this — don’t modify IV generation in custom firmware.configuration

Key

Source: ~~management for direct messages~~

MeshCore generates a unique keypair for each node during initial setup. The private key never leaves the device. The public key is shared via advertisements and is used by other nodes to encrypt messages specifically for that device.

~~This is an asymmetric key exchange model for key agreement, with AES-256 for the actual message encryption. The details of the key agreement protocol are documented in the~~Official MeshCore ~~protocol~~repository, ~~specification~~src/Utils.cpp, atsrc/MeshCore.h, ~~github.com/meshcore-dev/MeshCore.~~src/Identity.h. Verified 2026-05-03.

Channel security model

~~Channel messages use a symmetric key (the channel PSK) shared among all channel members. Security properties:~~

~~Authentication:~~ ~~Any node with the PSK can both read and write to the channel. There is no per-member authentication within a channel — if you share the PSK with someone, they can impersonate any channel member.~~ ~~Forward secrecy:~~ ~~Not provided. If the PSK is compromised, past messages (if recorded by an attacker) can be decrypted retroactively.~~ ~~Key distribution:~~ ~~The PSK must be shared out-of-band (not over the mesh) using a separate secure channel.~~

Threat model: what MeshCore protects against

~~ThreatProtected?Notes~~ ~~Passive eavesdropping of DMsYesAES-256-CTR; attacker without private key cannot read DMs~~ ~~Passive eavesdropping of channel messagesWith PSKAnyone with the PSK can read channel messages~~ ~~Traffic analysis (who is talking to whom)PartialNode IDs are visible; message content is not~~ ~~Location privacyConfigurableDisable GPS or advertisements to prevent location tracking~~ ~~Message injection into a channelWith PSKAny node with PSK can inject messages~~ ~~Relay node reading message contentYes (DMs)Relay nodes forward encrypted blobs; cannot read content~~ ~~Room server reading DMsYesRoom server sees ciphertext only for DMs~~

Security recommendations for sensitive use

~~Use direct messages (DMs) rather than channel messages for sensitive communication — DMs are end-to-end encrypted with no shared key~~ ~~If location privacy matters: disable GPS and set advertisement hop count to 0 (local only)~~ ~~Distribute channel PSKs only to trusted participants and through secure out-of-band channels~~ ~~Rotate channel PSKs periodically if the membership of a private channel changes~~ ~~Do not transmit information that would cause serious harm if intercepted — LoRa radio is a wireless medium and physical-layer interception by a sufficiently determined attacker is always possible~~

Comparing to Meshtastic security

~~MeshCoreMeshtastic~~ ~~DM encryption~~~~AES-256-CTR, E2EAES-256 (PKI-based in newer versions), E2E~~ ~~Channel encryption~~~~AES-256-CTR with PSKAES-128-PSK~~ ~~Key size~~~~256-bit128-bit~~ ~~Default encryption~~~~Always onDefault channel uses public key (visible to all)~~

Both provide strong protection for practical threat models. The key difference is that MeshCore’s encryption is always active with no unencrypted fallback mode, while Meshtastic’s default channel uses a public key that provides confidentiality only against passive observers who don’t know the key (which is publicly documented).