MeshCore encryption details
Everything about the current MeshCore encryption: AES-128, MAC validation, shared secrets and the practical security model
How MeshCore secures your data
According to the upstream MeshCore source code and documentation, the current MeshCore implementation uses AES-128 block encryption together with a truncated HMAC-SHA256 MAC. That is not the same as AES-256.
The security model is largely based on shared secrets: anyone with the correct secret can decrypt the relevant private payloads. That can be practical for mesh use, but it also means you should handle keys carefully and keep expectations realistic.
In this guide we explain what is actually present in MeshCore today, what that means for privacy, and where the limitations are. That keeps the page technically useful without claiming more than the implementation supports.
Security layers in MeshCore
Payload encryption (AES-128)
Private payloads are encrypted before they go over the radio. In the current implementation this uses AES-128. Only nodes with the correct shared secret can read the content.
Device-level keys
Each device has a unique device key for admin functions. This prevents random people from reconfiguring your node, even on a public channel.
Integrity and administration
MeshCore also uses a MAC to detect modified ciphertext. For admin and management flows there are separate secrets and permissions, so not every participant can change node settings.
Current encryption design
Based on the current MeshCore source code, a payload is encrypted with AES-128 block encryption. The official documentation also mentions zero padding and a truncated HMAC-SHA256 MAC for transport integrity.
Encryption process: 1. Shared secret → AES-128 encryption of the payload 2. The final block is padded with zero bytes if needed 3. A MAC is calculated over the ciphertext 4. The receiver verifies the MAC first and then decrypts the payload
This design is relatively lightweight and practical for embedded hardware. At the same time it is less modern than schemes with a nonce/IV plus authenticated encryption, so it is better not to oversell the current implementation.
PSK key management
Key generation
Use strong, random shared secrets. In MeshCore documentation and source code you will see 16-byte secrets for the current packet encryption layer; other parts of the system may carry longer secret material. In any case, avoid weak or predictable keys.
Key distribution
Shared secrets must be distributed securely to group members. Use a trusted path or direct configuration, and never send keys over public radio or in unsecured messages.
Key rotation
Rotate secrets when there is a concrete reason, for example when a device is lost or someone leaves the group. That limits the impact of a leaked key.
Default keys
Do not assume that default or widely shared secrets provide real privacy. Once many people know the same secret, practical confidentiality is gone.
Technical specifications
| Parameter | Value | Description |
|---|---|---|
| Encryption algorithm | AES-128 block encryption | The current implementation in the source code uses AES128 on 16-byte blocks |
| Key length | 128 bits (16 bytes) | The packet encryption function uses a 16-byte key |
| Padding | Zero padding | The last block is padded with zero bytes when the payload does not fit exactly |
| Hardware acceleration | Yes (ESP32) | On suitable hardware AES can be handled efficiently |
| Performance impact | <1 ms per packet | The crypto layer is relatively light for embedded devices |
| Integrity check | HMAC-SHA256 (truncated) | The documentation describes a truncated MAC over the ciphertext |
Benefits of MeshCore encryption
Practical baseline protection
MeshCore does provide a real encryption layer for private traffic. That is better than sending everything in the clear, but it is still wise to stay measured about the exact strength of the current design.
Efficient on embedded hardware
The chosen crypto layer is light enough for embedded hardware and usually adds little practical overhead.
Shared secrets for closed groups
For smaller groups, shared secrets are practical: everyone with the right configuration can participate without a heavy certificate system.
Easy to configure
Configuration stays relatively simple. You do not need a full PKI or certificate management setup to enable private traffic.
Transparent for user
Encryption happens automatically. User doesn't notice the encrypt/decrypt process. Messages are simply readable in the app.
Admin channel protection
Management functions are separated from ordinary traffic, so not every participant automatically has admin rights.
Frequently asked questions
Are all messages encrypted in MeshCore?
No. Public traffic stays public. MeshCore does use encryption for private traffic with shared secrets, but you should not automatically treat every message type or situation as fully private.
Can someone intercept and read my messages?
On public traffic: yes, it can be read. On private traffic protected with the right shared secret, the content is not directly readable to outsiders. LoRa is still a broadcast medium, so metadata and traffic patterns remain relevant.
How secure is the current MeshCore encryption really?
Stronger than unencrypted radio, but not something we should present as state-of-the-art authenticated encryption. The current implementation uses AES-128 block encryption with MAC validation; that is usable, but the chosen mode also has known limitations.
What happens if someone gets my PSK?
That person may be able to read or imitate private traffic that depends on that secret. Rotate the secret immediately if you suspect it leaked, and only share secrets over a trusted path.
Does MeshCore support end-to-end encryption between individuals?
Be careful with that label. LocalMesh prefers not to present MeshCore as a classic per-user E2E model like a modern secure chat app. The current implementation is better described as protocol encryption for private traffic built around shared secrets.
Does encryption affect range or battery life?
The impact is usually small. Encryption always costs some processing, but on modern boards it is rarely the main bottleneck compared with radio conditions, antenna placement and network density.
Secure your MeshCore communication
Ready to set up an encrypted mesh network? Choose your device and configure private traffic with realistic expectations about the current MeshCore encryption.