Question about psk2 and CCMP configuration

Hi. Apologies if this has been answered, but I've not been able to find it.

For my home network, I see the current recommendation for wifi security is to only use WPA2-PSK, and to force CCMP (and I think use the AES encryption method - I think CCMP does this?). And to use a complex random password.

I configure my router/wifi AP via the command line. Would setting 'option' 'encryption' to 'psk2' be the correct setting for this? Looking at the WPA modes table in the wireless configuration guide it seems that there are 3 settings that I think do the same thing: 'psk2,' 'psk2+aes,' psk2+ccmp.' The table indicates these settings all use the WPA version WPA2 Personal (PSK), and the cipher is CCMP.


option encryption 'psk2+ccmp'
option wpa_disable_eapol_key_retries '1'
option key '0000000000000000'
1 Like

New URL:

( is for archival purposes only and does not receive any updates any more)

1 Like

Looking at the code in /lib/netifd/ (Edit -- at least as of April, 2018)

        case "$encryption" in
                *tkip+aes|*tkip+ccmp|*aes+tkip|*ccmp+tkip) wpa_cipher="CCMP TKIP";;
                *aes|*ccmp) wpa_cipher="CCMP";;
                *tkip) wpa_cipher="TKIP";;

So, yes, aes and ccmp both end up specifying CCMP and the default, if none is given, is to use CCMP

Personally, I'd not rely on the default and explicitly specify the cipher.


Thank you all! Really appreciate your help.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.