MeshCore Encryption Details
Everything about the current MeshCore encryption model: AES-128 block encryption, MAC validation, shared keys, and practical security trade-offs
How MeshCore Secures Your Data
According to the upstream MeshCore source code and documentation, the current implementation uses AES-128 block encryption together with a truncated HMAC-SHA256 MAC. That is useful protection, but it is not the same as AES-256.
The MeshCore security model is based on symmetric encryption: everyone possessing the PSK can encrypt and decrypt messages. This approach is straightforward yet effective for mesh networks where you have a defined group.
This technical guide explains how the encryption functions, how you manage keys, what security measures exist, and what the limitations are. Understand the security trade-offs before establishing an encrypted network.
Security Layers In MeshCore
Private-Traffic Encryption (AES-128)
Private traffic is encrypted before transmission. In the current implementation, MeshCore uses AES-128 with MAC validation. Nodes need the right shared material to make sense of that traffic.
Device-Level Keys
Each device has a unique device key for administrative functions. This prevents random people from reconfiguring your node, even on a public channel.
Admin Channel Security
Admin channels always have a separate PSK. Remote configuration is only possible for authorized nodes possessing the admin key.
Current Encryption Model
The upstream code and docs indicate that MeshCore currently uses AES-128 block encryption for payload protection, plus a truncated HMAC-SHA256 MAC for integrity. The documentation also mentions zero padding.
High-level process: 1. Shared key material is configured between participating devices 2. Private payload data is encrypted with AES-128 3. A truncated HMAC-SHA256 MAC is added for integrity checking 4. The receiving side validates the MAC and then decrypts the payload
This still offers meaningful protection compared with sending radio traffic in the clear. RegionMesh now describes it more narrowly and accurately, instead of repeating older AES-256 or classic end-to-end claims.
PSK Key Management
Key Generation
PSKs are 256-bit (32 bytes) random keys. Usually displayed as base64 or hex string. Generate keys with cryptographically secure random generator, not "password123"!
Key Distribution
PSKs must be shared securely with group members. Via QR code, USB configuration, or secure channel. Never send keys via unencrypted radio or public internet.
Key Rotation
Change PSK periodically as security best practice. Especially when group members leave. MeshCore supports multiple keys simultaneously for smooth transition.
Default Keys
Primary channel often has no PSK (public). Secondary channels usually use custom PSKs. There is a standard "AQ==" key but it is insecure because everyone knows it!
Technical Specifications
| Parameter | Value | Description |
|---|---|---|
| Encryption Algorithm | AES-128 block encryption | Current implementation described in upstream code and docs |
| Key Length | 128 bits (16 bytes) | The AES block-cipher key size used by the current implementation |
| IV (Initialization Vector) | MAC + padding details vary by implementation | Upstream docs mention truncated HMAC-SHA256 MAC and zero padding |
| Hardware Acceleration | Yes (ESP32) | ESP32 has hardware AES for rapid encrypt/decrypt |
| Performance Impact | <1 ms per packet | Negligible overhead owing to hardware AES |
| Forward Secrecy | No | Symmetric key, no PFS like in TLS |
Benefits Of MeshCore Encryption
Better Than Open Radio
Private MeshCore traffic is materially better protected than sending everything over the air in plain text.
Efficient On Embedded Hardware
Hardware AES on ESP32 makes encryption remarkably fast (<1 ms). No noticeable impact on battery life or latency.
Per-Channel Keys
Each channel has its own PSK. Different security levels: public primary, private secondary channels. Flexible per use case.
Simple To Configure
Setting PSK is straightforward: enter one 32-byte key and done. No complex certificate management like with TLS/HTTPS.
Transparent For User
Encryption happens automatically. User does not notice the encrypt/decrypt process. Messages are simply readable in the app.
Admin Channel Protection
Admin functions are always encrypted. Prevents attackers from taking over or reconfiguring your node via radio.
Frequently Asked Questions
Are all messages encrypted in MeshCore?
No, only messages on channels with a PSK are encrypted. The primary channel is often public (no PSK) for general communication. You can make secondary channels private with your own PSK. You choose per channel whether encryption is active.
Can someone intercept and read my messages?
On public channels without PSK: yes, anyone with a MeshCore node can listen. On encrypted channels: no, only people with the PSK can decrypt. LoRa radio is broadcast, so encryption is essential for privacy.
How useful is the current MeshCore encryption model?
It is clearly better than broadcasting private traffic in the clear. At the same time, RegionMesh now avoids presenting it as a modern authenticated-encryption design or as classic end-to-end messaging in the Signal sense.
What happens if someone obtains my PSK?
Then that person can read and send all messages on that channel. This is the disadvantage of symmetric encryption. So change PSK immediately if you suspect the key has been compromised. Only share PSKs via secure channels (not via radio!).
Does MeshCore support classic end-to-end encryption between individuals?
RegionMesh no longer describes the current implementation that way. The better summary is that private traffic is encrypted, while the exact trust and key model differs from modern secure messengers.
Does encryption affect range or battery life?
No, negligible impact. Hardware AES on ESP32 is remarkably fast (<1 ms per message). You will not notice any difference in range, speed, or battery life between encrypted and unencrypted channels. Encryption is essentially free in terms of performance.
Secure Your MeshCore Communication
Ready to set up an encrypted mesh network? Choose your device and configure private traffic with realistic expectations about the current MeshCore encryption model.