How does a legacy device become member of and communicate securely with the Bluetooth mesh network?


In the Getting Started guide of the Bluetooth Mesh SDK it is stated that legacy non-mesh devices can communicate with the mesh via a proxy mesh device through tunneling and also that mesh security also applies to that communication part. But I'm wonder how the mesh security is implemented there? Does the non-mesh device also encrypt his messages with the network key and used application key for that message? If so, does the non-mesh device store that network key and associated application keys in the same way as a mesh device? Or thus can the non-mesh device also work with models and thus implement models in the same way a mesh device does but just can't communicate over the same kind of bearer? Or is their something else at work here? Does the Proxy Protocol have its own security ways or such? Some clarifications would be very helpful :)

Thanks in advance!

Kind regards,


  • Hi Mathias,

    by non-mesh devices we mean devices that does not support the ADV bearer, e.g. smartphones with BLE stacks that does not allow you to set the Mesh Message AD Type in a BLE Advertisment Packet.

    So yes, the device that does not support the ADV bearer still needs to implement the rest Bluetooh Mesh Stack, i.e. the Network Layer up to the Model layer, so it will implement the mesh security the same way as mesh nodes that only support the ADV bearer.

    The only difference is that the Network /Provisoning PDUs are placed inside Proxy PDUs which in turn is sent over a GATT connection to a mesh node that supports both the GATT and ADV bearer. Upon reception the Network/Provisioning PDU is extracted from the Proxy PDU and relayed to the rest of the mesh using the ADV bearer.

    Hope that this clarifies it.

    Best regards