Meshtastic Encryption & Channel Security: What Is and Isn’t Private on a Mesh
Meshtastic is the off-grid comms backbone of a sovereignty stack — long-range LoRa text and telemetry with no carrier, no SIM, and no infrastructure. It is also “encrypted by default,” and that phrase hides exactly the caveats that matter. This is the canonical reference for what is and isn’t private on a Meshtastic mesh, how the encryption actually works, and where its documented weak points are.
TL;DR — what’s private on a mesh:
- Channel payloads are encrypted with AES-256-CTR — but the default channel uses a publicly known key, so it is effectively public until you set your own.
- The packet header is always cleartext: sender, destination, packet ID, hop limit and channel hash are visible to anyone with a radio. Who-talks-to-whom and when leaks even when content does not.
- Since firmware 2.5 (Sept 2024), direct messages can be end-to-end encrypted with public-key crypto, so relays can’t read them.
- Channel encryption has no integrity check and no forward secrecy — there are real, documented weaknesses below.
How channel encryption works (AES-256-CTR + a pre-shared key)
Each channel encrypts the packet payload with AES in CTR mode, using that channel’s pre-shared key (PSK). Every channel has its own key. The key length is configurable — 0-bit (cleartext), a short “default key” byte, 128-bit, or 256-bit — and the cipher follows the key, so a 256-bit PSK gives you AES-256 while a 128-bit PSK gives AES-128. For anything you actually want private, use a full random 256-bit key.
A single node holds up to eight channels — one Primary plus up to seven Secondary — all riding the same physical radio and frequency, each with its own PSK. The channel name is reduced to a one-byte “channel hash” that a receiver uses to decide which key to try; the full name isn’t broadcast, but that hash is a weak public identifier of which channel a packet belongs to.
The LongFast / default-key trap (the #1 misconception)
“LongFast” is the default modem preset — a set of long-range, fast LoRa radio parameters — and the default Primary channel rides on it with a well-known default PSK. In the apps that key shows as the base64 string AQ==, which is the single byte 0x01. The firmware expands that short key into a fixed 16-byte default PSK (the exact bytes are documented in community references rather than on the official page), substituting the index byte at the end.
The consequence is simple and constantly missed: any stock Meshtastic node can read everything on the default channel. It exists for onboarding and discovery, not privacy. Real privacy starts the moment you create a channel with your own random key — and share that channel’s invite out-of-band only.
Why channel messages can be spoofed without the key
CTR mode works by generating a keystream from an initialization vector (IV) and XORing it with the plaintext. Meshtastic derives that IV deterministically from the sender’s node number and the message’s packet ID. Two problems follow, both acknowledged in the project’s own limitations documentation:
- No integrity / authentication on channel messages. Because nothing authenticates a PSK-encrypted packet, an attacker who can guess a plaintext can XOR it against the ciphertext to recover the keystream for that (node number, packet ID) pair, then inject a forged message — without ever knowing the channel PSK.
- IV reuse. Deterministic IVs mean a repeated (node number, packet ID) pair reuses keystream, which is a classic CTR-mode hazard. This is precisely why the newer direct-message scheme adds random nonce bytes.
Public-key direct messages (firmware 2.5.0+) — the part most guides skip
Firmware 2.5 introduced real end-to-end encryption for direct messages. Each node generates a Curve25519 key pair; a DM uses X25519 Diffie-Hellman to derive a shared secret with the recipient, then AES-CCM (an authenticated mode) to encrypt and authenticate the message. The scheme adds four extra random nonce bytes to avoid nonce reuse. The upshot: a DM is end-to-end encrypted even when it travels over the public default channel — relay nodes forward it but cannot read it, and clients mark such messages with a lock indicator.
Each node’s public key is distributed inside its regular NodeInfo announcement (itself sent under the channel PSK), so peers learn your key just by hearing you. Remote administration was hardened the same way: admin commands can be public-key-authorized, with a per-session key and a 300-second timeout to limit replay.
The trust model: Trust-On-First-Use, and its limits
There is no certificate authority. A node binds the first public key it hears for a given node number and keeps using it — Trust-On-First-Use (TOFU). That is convenient, but it has a real failure mode. Most hardware keeps a node database of roughly 100 nodes; when it fills, the least-interesting entries roll off. Once a node has rolled off, the firmware can no longer be sure a future announcement for that node number isn’t an impostor presenting a different public key — an impersonation window. For sensitive direct messages, verify a peer’s key out-of-band before you trust it; the in-app verification flow evolves between releases, so check the current documentation.
Known weaknesses and advisories
An honest mesh operator should know these going in:
- No integrity on channel messages — the spoofing path described above.
- No forward secrecy. A leaked channel PSK exposes all captured past and future traffic on that channel; compromising a node’s private key exposes its DMs. Harvest-now-decrypt-later is explicitly acknowledged as a risk.
- Lock icons can mislead. Advisory GHSA-377p-prwp-4hwf documented that a forged DM sent without public-key crypto could still display with an encrypted/lock indicator — treat a lock as a hint, not a guarantee.
- Weak-entropy key generation (CVE-2025-52464). The project disclosed that on some hardware, insufficient entropy produced duplicated X25519 key pairs, which could let an attacker decrypt or forge that node’s DMs. The remediation is to keep firmware current and, on affected hardware, regenerate the node’s key pair — consult the official Meshtastic security advisory for the exact fixed version and the affected-hardware list before relying on a device.
What still leaks: the metadata reality
Even with a strong PSK and PKI DMs, a mesh is not anonymous. The always-cleartext header exposes the sender and destination node numbers, packet ID, hop limit and channel hash, so anyone with a software-defined radio or an ordinary node can do traffic analysis — who is talking, when, on which channel hash, how often, and who is simply present. Two more leaks are worth pinning:
- Position and telemetry. Broadcasting position on a channel hands your coordinates to every PSK-holder on it. Disable or coarsen position for OPSEC.
- The channel-share link is the secret. The URL or QR code that invites someone to a channel contains the PSK. The link is the password — never post it publicly.
Key-management checklist
- Never rely on the default
AQ==key for anything private — create a channel with a random 256-bit PSK. - Share channel URLs and QR codes out-of-band only, and rotate the PSK if a device is lost or a member leaves (no forward secrecy means an old key stays dangerous).
- Keep firmware current and, on hardware affected by the entropy issue, regenerate the node key pair after updating.
- Verify peer public keys out-of-band before trusting PKI DMs, and stay aware of the TOFU roll-off impersonation window on busy meshes.
- Back up your node’s private key — a re-flash regenerates it and breaks existing TOFU trust, because peers will see a new key for your node number.
- Minimise metadata: disable precise position, reduce telemetry broadcasts, and assume traffic analysis is always possible.
- For one-to-one secrecy, prefer PKI direct messages over shared-channel broadcasts.
Frequently asked questions
Is Meshtastic encrypted by default?
Yes, but the default channel uses a publicly known key, so it is effectively public until you set your own PSK.
Can someone read my Meshtastic messages?
On the default channel, yes. On a private channel with a strong PSK, only key-holders can. A public-key direct message can be read only by its recipient. Metadata always leaks regardless.
Does Meshtastic have end-to-end encryption?
For direct messages on firmware 2.5 and later, yes — X25519 key exchange with AES-CCM. Channel messages use a shared group key, which is not per-recipient end-to-end encryption.
What is the strongest setting?
A random 256-bit channel PSK plus public-key direct messages on current, patched firmware — combined with metadata discipline.
Sources: official Meshtastic documentation (encryption overview, limitations, channels and technical reference), the v2.5 public-key-cryptography announcement, and the project’s published security advisories. Cryptographic details version-drift with firmware; current as of the 2.6.x series, June 2026 — verify specifics against the official docs at the time you read this. Part of D-Central’s mesh networking hub and digital sovereignty reference set.
Related products, repair, and setup paths
- Bitcoiner sovereignty hub
- the plebs sovereign stack
- Nostr for Bitcoiners
- run your own Nostr relay
- getting started with Meshtastic
- Bitcoin over Meshtastic mesh networks
- open-source hardware tools directory
- off-grid Bitcoin mining
Last reviewed June 21, 2026.
