Securing your Mesh

Meshtastic is a great way to send messages without the need of traditional IP connectivity and can be used in its default mode of sending message to LongFast or other builtin in channels using a public encryption key out of the box. Where this breaks down is that anything you send to your primary channel, which is the channel used for position updates and other telemetry data is that anyone can see it.

• Primary Channel is where all device data and Mesh communication goes by default.
• Secondary Channels are channels that are basically where group messages occur and are used to communicate with allowed devices on your mesh. Nodes can only access the channel if they have access to the key for that channel which allows you to be on the public message and send messages privately to Nodes that have access to that key.

By default the Primary LongFast Channel using an 8 bit encryption key that is public, AQ==, this is well known and if someone is using this key they now have access to your telemetry data if they are on your Mesh. This is good in the aspect that you can be part of a larger Mesh network and relay further due to being able to use other Meshtastic devices that others have. You get the benefit of a larger install base of devices that can act as relays for your devices. Where this is problematic is that everyone on the Mesh now has access to your telemetry data, which may not be desired.

So how do you fix this? The simple way is change the encryption key for your Primary Channel to something like a 128bit or 256bit key and then applying that key to your devices. It will immediately drop on of the public mesh to a private one. The downside is that now you are responsible for your Mesh and relay positioning in order to get the range you are looking for. On my 13 Acre property its not that big of an issue as the range between two devices can go anywhere and while a messgae may have a 5 or 10 second delay, its adequate for what I am doing with it. I am mostly pasture so line of site isn’t an issue and I do have a repeater placed to not only repeat, but also feed Mesh telemetry data into MQTT which is where the real power of Meshtastic comes through. I can do real time tracking of my Nodes, know where they are located so I can attach them to equipment or just carry them around. If cell service is poor I can still communicate with the others on the Mesh, without having my messages exposed to other open Meshtastic users. Where this is useful is for real time tracking of your devices to either a TIG Stack, or directly into HomeAssistant. I use both while I am deciding use cases for them. I have found for HomeAssistant the benefit is that your Node becomes a device and can be used to trigger automations, log status, battery life, location etc.. Using the TIG Stack I can keep the data around longer to get trends by pulling the data from MQTT to InfluxDB using Telegraf and visualizing it with Grafana.

Meshtastic is powerful for this use case and since I don’t want other people I don’t know seeing the location and status of my devices it made sense for me to encrypt the one on my property. If I was camping in the woods or at a concert and wanted to use it, I would have stuck with the 8 bit encrypted public Mesh. This give access to longer range due to the ability to use other nodes for message relay without the need of using my own equipment and having to strategically position relays.