PKI Direct Messaging (v2.3+)

Meshtastic firmware 2.3 introduced PKI-based encryption for direct (person-to-person) messages. This is a significant security upgrade that provides forward secrecy for DMs — something not possible with channel PSK encryption.

How PKI DMs Work

Each Meshtastic node generates a unique Curve25519 keypair on first boot:

Key generation — Node generates a private key (stored locally, never transmitted) and a public key.
Key exchange — Each node broadcasts its public key as part of its node info advertisement. Other nodes store this public key in their node database.
Message encryption — When you send a DM to another node, Meshtastic performs an ECDH key exchange using your private key and the recipient's public key, deriving a unique shared secret. This shared secret is used as the AES session key for that message.
Forward secrecy — Each message (or message session) can use a fresh key derivation. If a session key is compromised, it does not expose past messages.

Requirements for PKI DMs

Both sender and recipient must be running Meshtastic firmware 2.3 or later
The recipient's public key must be in the sender's node database (requires having received at least one advertisement from the recipient node)
Both nodes must be on compatible channels (or direct radio range) for key advertisements to propagate

Enabling and Verifying PKI DMs

PKI DMs are enabled by default in firmware 2.3+. No configuration is required. The Meshtastic app shows a lock icon or "encrypted" indicator on DMs that use PKI encryption. If the recipient's public key is not yet known, the app may fall back to channel-encrypted DMs or prompt you to wait for a key exchange.

Comparison: PSK Channel vs PKI DM Security

Property	PSK Channel	PKI Direct Message
Encryption algorithm	AES-256-CTR	ECDH + AES-256-CTR
Key exchange	Manual (share PSK)	Automatic (public keys via mesh)
Forward secrecy	No	Yes
Who can read	Anyone with PSK	Only sender and recipient
Key compromise exposure	All past and future messages	Limited to compromised session
Firmware requirement	Any	2.3+

Practical Recommendations

For sensitive one-on-one communication, use DMs with firmware 2.3+ on both ends
For group communication, use a custom channel with a randomly generated PSK distributed via secure channels
Never put truly sensitive information on the Default channel — it is effectively unencrypted
Rotate channel PSKs periodically for long-running networks where membership changes

Meshtastic Protocol Overview

Meshtastic Flooding Mesh Protocol Explained

Meshtastic Node IDs, Addresses, and Naming

Meshtastic Setup Guide

Initial Node Configuration Checklist

Advanced Configuration for Infrastructure Nodes

Personal Device Roles

Infrastructure Roles: Router and Repeater

Specialized Roles

How Meshtastic Channels Work

Creating Private Channels

Built-in Telemetry Types

Monitoring Channel Utilization

Meshtastic Python CLI Guide

Complete Meshtastic CLI Command Reference

Meshtastic MQTT Setup

Building a Meshtastic Internet Gateway

Meshtastic Web Interface and Remote Access

Meshtastic Module Configuration Reference

Traceroute and Path Diagnostics

Neighbor Info and Signal Mapping

Meshtastic APRS Gateway

Meshtastic Python Scripting

Home Assistant Integration via MQTT

Node-RED Flows for Mesh Automation

Meshtastic Channel Encryption

Privacy Best Practices

Understanding Channels and PSKs

Sharing Channels via QR Code

Channel Strategy for Community Networks

Reading Network Statistics in the Meshtastic App

Using the Meshtastic Python CLI for Diagnostics

Mesh Topology and Path Analysis

Common Network Problems and Solutions

Getting Started with the Meshtastic Python Library

Automating Meshtastic: Practical Scripts

Meshtastic Python API Reference

Telemetry Module: Device, Environment, and Power

Store and Forward Module

Range Test Module

External Notification and Canned Messages

Serial, MQTT, and Ambient Light Modules

Meshtastic Channel Encryption

PKI Direct Messaging (v2.3+)

Meshtastic Managed Mode and Admin Channels

Device Configuration Settings

Position Configuration Settings

Network Configuration Settings

Meshtastic Android App Overview

Meshtastic iOS App Overview

Meshtastic Web Client and Python CLI

Meshtastic Power Settings Reference

Power Configuration Settings Reference

Meshtastic LoRa Settings Reference

Choosing the Right Modem Preset

PKI Direct Messaging (v2.3+)

How PKI DMs Work

Requirements for PKI DMs

Enabling and Verifying PKI DMs

Comparison: PSK Channel vs PKI DM Security

Practical Recommendations