Most consumer devices aren't 802.11s "aware" and don't clearly represent the SAE auth in the UI. LuCI, last I checked, also wasn't able to clearly indicate 802.11s being encrypted. iwinfo (at least from September, 2018) isn't very clear either.
Wireshark on a wireless, monitor interface can be used to confirm that the channel is encrypted.
You should be able to see the encryption negotiation in Wireshark as the peers associate. If you send unencrypted data over the connection (nc, netcat, socat, wget of an HTTP resource, ... ) you should not see "in the clear" data.
sae_passphrase in /etc/config/wireless doesn't seem to be used. If you check your wpa_supplicant (will be called something like /var/run/wpa_supplicant-mesh0.conf depending on what you name the mesh) I think you'll find the password is blank, or at least it was for mine using OpenWrt 18.06.1, until I used key instead.
Authentication convinces the parties of the identity of the other. Encryption makes the information that they exchange "difficult" for others to understand.
Checking openwrt-18.06 for the current state of the config parameter to use:
psk)
local passphrase
if [ "$_w_mode" != "mesh" ]; then
hostapd_append_wpa_key_mgmt
fi
key_mgmt="$wpa_key_mgmt"
if [ ${#key} -eq 64 ]; then
passphrase="psk=${key}"
else
if [ "$_w_mode" = "mesh" ]; then
passphrase="sae_password=\"${key}\""
else
passphrase="psk=\"${key}\""
fi
fi
append network_data "$passphrase" "$N$T"
;;
so it appears that current OpenWrt is looking for option key
But I found wpa_supplicant-*.conf contained sae_password="" unless I used option key in wireless instead. (And I confirmed that the mesh was using a blank password)
wpad-mesh is working with a password for me (openwrt 18.06.1 & 18.06.2) . I just tried the full wpad, and mesh doesn't associate with a password. I do seem to recall the full wpad working without a password.
I also seem to recall previously trying hostapd with wpa-supplicant-mesh installed successfully too.
Use of a monitor interface, tcpdump, and wireshark should let you see just what is being sent and convince yourself of encryption (one way or the other)
I did some tests on February 5, 2019 and this resulted:
OpenWRT 18.06.2 in Archer C60 and x86 with rtl8192ce (rtl8188ce):
If I use hostapd + wpa-supplicant-mesh:
They do not connect or pass the ping test.
Both appear in WirelessNetView and WiFi Analyzer with WEP encryption permanently.
In Luci they appear as a network without connected stations.
If I use wpad:
Nor does it appear in programs on Windows.
In Luci they appear as Wireless is not associated.
If I use wpad-mesh:
The nodes connect and pass the ping test.
On Windows it appears with WEP encryption permanently.
In Luci it appears that they are connected to each other correctly in "Associated Stations".
In all the tests I used the lines option encryption 'psk2+ccmp' and option key 'password' in the configuration file and dnsmasq disabled in the second node.
You should be able to see the encryption in the frames' metadata, as well as not seeing clear-text data in the payload. If you catch the association, you should be able to see the negotiation of encryption. Wireshark is very helpful for understanding the raw packets.