User Tools

Site Tools


starting:encryption:home

About Encryption

After flashing the hAP, this message will appear only once:

This node is not yet configured.
Go to the setup page and set your node name and password.
Click Save Changes, even if you didn't make any changes, then the node will reboot.


This device can be configured to either permit or prohibit known encrypted traffic on its RF link. It is up to the user to decide which is appropriate based on how it will be used and the license under which it will be operated. These rules vary by country, frequency, and intended use. You are encouraged to read and understand these rules before going further.

This device is pre-configured with no restrictions as to the type of data being passed.

Follow these steps if you wish to prohibit known encrypted traffic on the RF link. These instructions will disappear, so copy them for your reference:

  1. Setup your node name and password as instructed at the top of this page
  2. After you Save Changes allow your node to reboot
  3. Return to the Node Status page and navigate to Setup > Administration
  4. Obtain the blockknownencryption package from the AREDN™ website OR refresh the Package list (node must be connected to the internet)
  5. Install the blockknownencryption package by uploading it or choosing it from the package drop-down list
  6. Wait until the package installs and then reboot your node

Section 47 (b) of the Radiocommunication Regulations stipulates that:

47 A person who operates radio apparatus in the amateur radio service may only:

(b) use a code or cipher that is not secret

  • Unencrypted data uses a code that is not secret so it's not a problem
  • but encrypted data uses ciphers that are secret, so it's not allowed.

To ensure that no encrypted data is transmitted on the air, there are two layers of filters that can be applied.

Layer 1

The first layer is to configure your node so that it doesn't share its internet connection. Under the Basic Setup page, leave this unchecked:

There are times, however when you'll need to allow WAN access to other devices temporarily (if you need to upgrade the firmware on a device not directly connected to the internet for example):

  • The hAP is connected to the internet so it's firmware can be readily upgraded, but
  • a dish connected to the hAP will need to share the hAP's internet connection first.

The safest way to do this is to:

  1. Disconnect all connections to other nodes (tunnels, RF links, etc.)
  2. Once everyone else disapears from the network, enable WAN access

During that time, encrypted data could flow between the hAP and the dish over CAT5e, but nothing will be transmited over RF (which is what we are concerned with).

This, however, doesn't prevent others on the network to pass internet traffic through their node, which you could access (but shouldn't) even if you're not sharing your internet connection.

Layer 2

So the second layer is to install the blockknownencryption package from the Administration page:

This should pretty much block any https addresses but it could have some issues. And here's a more technical discussion.

starting/encryption/home.txt · Last modified: 2021/11/20 08:22 by va7fi