Welcome back, aspiring cyberwarriors!
Your messages travel through the mesh network, jumping from device to device, and might stay unencrypted. You need to understand how Meshtastic encryption works and how to set it up correctly, because a poorly configured mesh network can expose your communications to anyone with a compatible radio and basic technical knowledge.
In this article, we will explore the encryption options that Meshtastic provides for group communication and direct messages. Let’s get rolling!
Step #1: Setting Up Your Hardware with the Android Meshtastic App
In this demonstration, I will use the Lilygo T-Echo device. We have an article that explains how to configure it. However, you can use any other Metastatic-compatible device. Just make sure your device is running firmware version 2.5.0 or later to use the improved security features. When you connect the device to the Meshtastic app, the firmware version will be displayed.
Step #2: Configuring Pre-Shared Keys for Chat Channels
Chat Channels represent the primary method of group communication in Meshtastic networks. Each channel uses a Pre-Shared Key (PSK) that all participants must possess to participate in the conversation. The PSK serves as the encryption key (specifically AES256-CTR), while the channel is identified by a hash derived from both the PSK and the channel name. This means only devices with the correct PSK can decrypt messages sent on that channel, though it’s important to understand that the encrypted packets themselves are still broadcast over the radio and visible to anyone in range; they just can’t decrypt them without the PSK.
The default channel on a fresh Meshtastic installation (typically called “LongFast”) uses a well-known PSK (AQ==, which is simply a single null byte) that provides no real security whatsoever. Anyone with a Meshtastic device can receive and decrypt messages sent on the default channel, making it suitable only for public announcements or testing purposes. For any sensitive communications, you must configure custom channels with randomly generated PSKs that are shared only with trusted participants.
To create a secure channel, we need to open Settings and then the Channels section. At the bottom-right corner, you’ll see a plus sign, click on it, and you’ll see a screen like below.
Here, you need to specify a Channel name; in my case, it’ll be just “Secure”. Immediately after entering the name, the app will generate a random PSK automatically. That’s all, click Save.
You’ll be returned to the Channels settings, and click on Send. Now, the channel is ready, and the only thing we need to do is share this channel configuration with other participants who should have access. The easiest method is to generate a QR code that other users can scan with their Meshtastic apps to automatically configure the same channel settings, including the PSK.
To do so, change the tab to Conversations and click on the QR-Code icon; you’ll see a window like below.
Now, any messages you send on this channel will be encrypted with AES256 using that channel’s PSK, and only devices with the correct PSK will be able to decrypt and read them. Remember: while your messages are encrypted, the radio transmissions are still broadcast publicly. Encryption prevents eavesdroppers from reading the content, but doesn’t hide the fact that communication is occurring.
Step #3: Public Key Cryptography for Direct Messages
Direct Messages in Meshtastic firmware version 2.5.0 and later utilize Public Key Cryptography (PKC) to provide authenticated and encrypted one-to-one communications between devices. Unlike channel communications, where all participants share the same password (PSK), Direct Messages use a more sophisticated system where each device has its own unique public and private key pair based on Curve25519 and Ed25519 cryptography.
When you send a Direct Message to another device, Meshtastic uses a hybrid encryption approach for efficiency:
- A random AES session key is generated for that specific message
- Your message is encrypted using that session key with AES
- The session key itself is encrypted using Curve25519 key agreement with the recipient’s public key
- The message is digitally signed using your Ed25519 private key
This ensures that only the recipient with the corresponding private key can decrypt the session key (and thus the message), providing confidentiality. The digital signature allows the recipient to verify that the message actually came from you and has not been tampered with in transit, providing authentication.
Important note: While the message content is encrypted, metadata such as sender ID, recipient ID, and timestamps remain visible to anyone monitoring the radio network. This is inherent to how mesh routing works.
The good news is that enabling Public Key Cryptography for Direct Messages requires almost no configuration on your part when using the Android app! In firmware version 2.5.0 and later, the device automatically generates its key pair when you first power it on with the updated firmware, and keys are automatically exchanged with other devices as needed through the mesh network.
Summary
In this article, we covered Pre-Shared Keys for securing group chat channels and Public Key Cryptography for protecting Direct Messages on your Meshtastic device. By implementing these encryption mechanisms, you can achieve decentralized communications where message content is protected from eavesdropping and tampering.
Source: HackersArise
Source Link: https://hackers-arise.com/off-grid-communications-part-4-securing-your-meshtastic-communications/