Key Management Guide
PSK lifecycle, operator roles, key rotation procedures, and credential management for LA-Mesh.
Key Types
| Key | Type | Stored Where | Rotated |
|---|
| Channel PSK (x3) | Symmetric (AES-256) | Operator encrypted storage | Quarterly |
| Device PKC key pair | Asymmetric (X25519) | On-device only | On firmware update |
| MQTT credentials | Username/password | Encrypted keystore (KeePassXC) | On compromise |
| SMTP credentials | API token | Encrypted keystore (KeePassXC) | On compromise |
PSK Generation
# Generate a 256-bit random PSK on a trusted machine
openssl rand -base64 32
Produces a key like: K7xR2p4mN8vQwY3jH6fL0tBuI9sDcE5gA1rO7kZ4hXs=
PSK Distribution Rules
- Generate on an air-gapped device or trusted machine
- Distribute ONLY in person, face-to-face
- Never send via text, email, Signal, or any digital channel
- Write on paper, show screen, or use QR code in-person
- Destroy paper copies after devices are configured
- Rotate quarterly or immediately on suspected compromise
PSK Application
# Apply PSK to device
meshtastic --ch-set psk "<base64-psk>" --ch-index 0
# Verify
meshtastic --info
Compromise Response
| Event | Action |
|---|
| Suspected PSK leak | Rotate affected channel immediately |
| Device theft | Rotate all channels, attempt remote wipe via admin channel |
| Firmware vulnerability | Update all devices, rotate PKC keys if needed |
| Operator departure | Rotate admin channel PSK |
Recommended Tools
| Tool | Purpose |
|---|
| KeePassXC | Offline AES-256 encrypted credential storage for PSKs, MQTT/SMTP credentials, and API tokens |
| OMEMO | Signal Protocol over federated XMPP -- end-to-end encrypted messaging for operator coordination |