I’ve written a short article about the things I had thought about in relation to securing meshtastic as it goes through the different mediums it has to go.
I would love to hear your thoughts on this matter!
1 Like
Well at least in terms of DMs, things are changing
Another point you dont mention is securing your nodes from physical attacks. Ie if someone gets access to a node, they may well get access to the key for channels on the device.
Also JSON messages to a MQTT server are not encrypted. Perhaps something to be aware of.
Thanks @barryhunter!
Good point in relation to DMs… and interesting developments to address this.
I actually mentioned the securing of the nodes, at least I tried, in the “One key to rule them all” section at the bottom, where I mention key rotation.
I will do an amendment to the MQTT part so I include that the JSON messages are sent unencryted, to be aware of not sending them to public MQTT Servers if that is not the intended effect.
While such an article is nice, please consider adding the pieces that are still lacking to the official documentation: Meshtastic Encryption | Meshtastic. There is an “Edit this page” button at the bottom.
Since things change rapidly within Meshtastic, users may end up seeing your article when (some of) it is already outdated, e.g. the new changes in 2.5. Keeping the official documentation up to date is already a lot of work, so all help is welcome.
1 Like
Will check that page out, and also add a disclaimer at the beginning so people will end up reading the documentation 
1 Like
“ The QR code is a handy mechanism that doesn’t leak information unless a user accesses the QR code’s URL on a javascript-enabled web browser, where the meshtastic.org website could access the part of the URL that includes the encryption key.”
this has been, and is, an enormous hole. Why it persisted this long is mysterious.