Skip to main content

Meshtastic Channel Encryption

How Meshtastic Encryption Works

Each Meshtastic channel uses AES-256-CTR (counter mode) encryption with a 256-bit pre-shared key (PSK). Any node that has both the correct channel name and the correct key can decrypt messages on that channel. Encryption is end-to-end across the mesh: relay nodes forward ciphertext without decrypting it. They do not need the channel key to relay packets.

The Default Public Key

Meshtastic's built-in "Default" channel uses a well-known, publicly documented key. The PSK is represented in base64 as AQ==, which is the byte 0x01 followed by zeros. This is intentionally not secret - the Default channel is the public mesh. Anyone running the Meshtastic app can read messages on the Default channel. Do not send sensitive information on the Default channel.

Creating a Private Channel

To communicate privately:

  1. Set a custom channel name (different from "LongFast" or "Default").
  2. Use the app's Generate button to create a cryptographically random 256-bit PSK. Do not manually type a key - human-chosen keys have low entropy.
  3. Share the channel configuration with intended participants using the channel QR code. Share this QR code only through a secure side channel (e.g., in person or via an encrypted messenger).

Messages on your private channel are unreadable to any node that does not possess the key, even if those nodes relay the encrypted packets.

PKI and Direct Messages (Meshtastic 2.3+)

Starting with Meshtastic 2.3, the platform introduced PKI-based direct messaging. Each node generates a public/private key pair. When you send a direct message (DM) to a specific node, it is encrypted to that node's public key - only the intended recipient's private key can decrypt it. This is separate from channel encryption and provides stronger guarantees for one-to-one communication.

What Encryption Does NOT Protect

Meshtastic encryption protects message content, but several pieces of information remain visible to anyone monitoring the RF spectrum:

  • Packet metadata: Source node ID, destination node ID, hop count, SNR, and timing are in the unencrypted packet header and visible to any LoRa receiver tuned to the frequency.
  • Node existence: Even on a private channel, NodeInfo packets (which advertise node IDs and positions) are broadcast on the public mesh. A passive observer can know your node exists and track its position even if they cannot read your messages.
  • Traffic analysis: An attacker can observe transmission patterns - when and how often you transmit - without ever decrypting content. This can reveal usage patterns and correlate activity.

Admin Channel Security

Meshtastic's admin channel allows remote configuration of nodes. The admin channel PSK is a high-value secret: anyone who possesses it can reconfigure your nodes remotely, change channels, adjust power settings, or disable the device. Treat it accordingly:

  • Use a unique PSK for the admin channel, separate from any user channels.
  • Do not share the admin PSK with regular channel users.
  • Store it securely (e.g., in a password manager).

Key Distribution and Revocation

Meshtastic has no built-in key revocation mechanism. If an admin channel or private channel PSK is compromised, you must manually change it on every node that uses it. For networks with many nodes, this can be operationally complex - plan key distribution carefully and limit who has access to keys from the outset.

Back to top