MeshCore encryption details
Everything about AES-256 encryption, PSK key management, the security model, and per-channel encryption in MeshCore mesh networks
How MeshCore secures your data
MeshCore EMPloys AES-256 encryption to secure messages. This is the same military-grade encryption utilised by banks, government departments, and security services worldwide. Each channel can have its own PSK (Pre-Shared Key) for private communication.
The MeshCore security model is based on symmetric encryption: everyone possessing the PSK can encrypt and decrypt messages. This approach is straightforward yet effective for mesh networks where you have a defined group.
This technical guide explains how the encryption functions, how you manage keys, what security measures exist, and what the limitations are. Understand the security trade-offs before establishing an encrypted network.
Security layers in MeshCore
Channel encryption (aes-256)
Each channel can be encrypted with a PSK. Messages are encrypted before transmission. Only nodes with the correct PSK can read the content.
Device-Level keys
Each device has a unique device key for administrative functions. This prevents random people from reconfiguring your node, even on a public channel.
Admin channel security
Admin channels always have a separate PSK. Remote configuration is only possible for authorised nodes possessing the admin key.
AES-256-CTR encryption
MeshCore uses AES-256 in CTR mode (Counter Mode). This is a stream cipher that operates efficiently on low-power embedded devices. Each packet receives a unique counter value as initialisation vector (IV).
Encryption process: 1. PSK (256-bit) + Packet Counter (IV) -> AES-CTR 2. Plaintext payload XOR encrypted stream -> Ciphertext 3. Ciphertext + Counter transmitted via radio 4. Receiver: AES-CTR decryption with same PSK + Counter -> Plaintext
The advantage of CTR mode is that encryption and decryption are the same operation (XOR). This is fast on ESP32 chips that have hardware AES acceleration. The 256-bit key is extremely difficult to brute-force (would require billions of years).
PSK key management
Key generation
PSKs are 256-bit (32 bytes) random keys. Usually displayed as base64 or hex string. Generate keys with cryptographically secure random generator, not "password123"!
Key distribution
PSKs must be shared securely with group members. Via QR code, USB configuration, or secure channel. Never send keys via unencrypted radio or public internet.
Key rotation
Change PSK periodically as security best practice. Especially when group members leave. MeshCore supports multiple keys simultaneously for smooth transition.
Default keys
Primary channel often has no PSK (public). Secondary channels usually use custom PSKs. There is a standard "AQ==" key but it is insecure because everyone knows it!
Technical specifications
| Parameter | Value | Description |
|---|---|---|
| Encryption Algorithm | AES-256-CTR | Advanced Encryption Standard, 256-bit key, Counter mode |
| Key Length | 256 bits (32 bytes) | Military-grade security level |
| IV (Initialisation Vector) | Packet counter | Unique value per packet, prevents replay attacks |
| Hardware Acceleration | Yes (ESP32) | ESP32 has hardware AES for rapid encrypt/decrypt |
| Performance Impact | <1 ms per packet | Negligible overhead owing to hardware AES |
| Forward Secrecy | No | Symmetric key, no PFS like in TLS |
Benefits of MeshCore encryption
Military-Grade security
AES-256 is approved by intelligence agencies for top-secret documents. Practically unbreakable with current computers.
Efficient on embedded hardware
Hardware AES on ESP32 makes encryption remarkably fast (<1 ms). No noticeable impact on <a href="/battery-life-charging-emergency-radio/">battery life</a> or latency.
Per-Channel keys
Each channel has its own PSK. Different security levels: public primary, private secondary channels. Flexible per use case.
Simple to configure
Setting PSK is straightforward: enter one 32-byte key and done. No complex certificate management like with TLS/HTTPS.
Transparent for user
Encryption happens automatically. User does not notice the encrypt/decrypt process. Messages are simply readable in the app.
Admin channel protection
Admin functions are always encrypted. Prevents attackers from taking over or reconfiguring your node via radio.
Frequently asked questions
Are all messages encrypted in MeshCore?
No, only messages on channels with a PSK are encrypted. The primary channel is often public (no PSK) for general communication. You can make secondary channels private with your own PSK. You choose per channel whether encryption is active.
Can someone intercept and read my messages?
On public channels without PSK: yes, anyone with a MeshCore node can listen. On encrypted channels: no, only people with the PSK can decrypt. LoRa radio is broadcast, so encryption is essential for privacy.
How secure is aes-256 encryption actually?
AES-256 is extremely secure. With current computers it would require billions of years to brute-force a key. It is used for classified government data. If your PSK remains secret, your messages are practically unbreakable.
What happens if someone obtains my psk?
Then that person can read and send all messages on that channel. This is the disadvantage of symmetric encryption. So change PSK immediately if you suspect the key has been compromised. Only share PSKs via secure channels (not via radio!).
Does MeshCore support end-to-end encryption between individuals?
MeshCore has channel-level encryption, not end-to-end per user. All nodes on an encrypted channel can read each other's messages. For true E2E you would need to build an additional encryption layer on top (possible via plugins).
Does encryption affect range or battery life?
No, negligible impact. Hardware AES on ESP32 is remarkably fast (<1 ms per message). You will not notice any difference in range, speed, or battery life between encrypted and unencrypted channels. Encryption is essentially free in terms of performance.
Secure your MeshCore communication
Ready to set up an encrypted mesh network? Choose your device and configure private channels with AES-256 encryption.