Meshtastic backup & key security
Guide · updated June 2026
Your node’s private key is its identity on the mesh — and a reflash wipes it. Here’s how to back up your keys, keep direct messages private, and lock a node down.
What’s actually secret
Meshtastic has two separate kinds of keys, and it’s worth knowing which is which:
| Key | What it protects | Keep it… |
|---|---|---|
| Node key pair | Direct messages. Since firmware 2.5 each node has a public/private key pair; DMs are encrypted to the recipient’s public key and signed by the sender’s private key. | Private key secret; the public key is broadcast. |
| Channel PSK | Everything on a channel (messages, position, telemetry). A shared pre-shared key everyone on that channel holds. | Secret — but the default one isn’t. |
The default channel is not private. The LongFast primary channel ships with a well-known key (AQ==) that everyone has. It obscures nothing. Real privacy means a custom channel with its own strong key — see below.
Why a backup matters
Your node generates its key pair once, on first boot. That key pair is how the mesh knows it’s you.
A firmware erase & reinstall — or a factory reset — wipes the keys and generates new ones. The node comes back with a brand-new identity, and every other node that had your old public key can no longer send you encrypted direct messages until they re-learn the new one. Same story for any custom channel keys you’d set.
So the rule is simple: back up before you erase, reflash, or factory-reset.
Make a backup
The reliable way is the Meshtastic CLI (a one-time pip install meshtastic). With the node connected by USB, export everything to a file:
# save the full config — including your public AND private keys meshtastic --export-config > my-node-backup.yaml # later, restore it onto a node meshtastic --configure my-node-backup.yaml
That file is a master key. It contains your private key and any WiFi passwords in plain text — anyone who gets it can read your DMs and join your network. Store it in a password manager or an encrypted note. Never paste it in chat or commit it anywhere.
A few practical notes:
- The app’s own export/import is handy but not bulletproof — people have hit cases where keys, channels or favorites didn’t fully restore. Treat the CLI export as your real backup.
- At minimum, copy your private key from Settings → Security into your password manager. That alone preserves your DM identity.
- Back up each node you care about — the keys are per-device.
A private channel, shared safely
To actually talk privately, add a new channel with its own randomly-generated key (use a 256-bit key, not the simple default). Everything on it is then readable only by people who have that key.
Share it with the channel QR code or URL from the app. But understand what that link is: it contains the key. Anyone you send it to — or anyone who sees it — can read the channel. Hand it out in person or over a trusted DM, never in a public post.
Locking a node down
For a node you leave unattended — a repeater on a roof, say — two settings under Security add control:
- Admin key — the public key(s) allowed to send it administrative commands. Only messages signed by those keys are accepted, so you can manage it remotely without anyone else doing the same.
- Managed mode — stops the regular app from changing its config; settings can then only be changed through signed remote-admin messages. Confirm remote admin works before you switch this on, or you can lock yourself out.
Treat the config backup like the master password it is. If it leaks, regenerate keys (a fresh key pair), rebuild your private channels, and re-share the new keys with your people.
Back it up before it bites you
Questions on keys, channels or locking a node down? Ask in #meshtastic.