diff --git a/docs/site-example/site.conf b/docs/site-example/site.conf
index 698ab8de43fa801128bda69cb9f943214a0dfa95..9ea420ef6dd3a8910768fc8126d6c5e5b878bd45 100644
--- a/docs/site-example/site.conf
+++ b/docs/site-example/site.conf
@@ -15,6 +15,11 @@
   -- Shorthand of the community.
   site_code = 'ffxx',
 
+  -- 32 bytes of random data, encoded in hexacimal
+  -- Must be the same of all nodes in one mesh domain
+  -- Can be generated using: echo $(hexdump -n 32 -e '1/1 "%02x"' </dev/urandom)
+  site_seed = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
+
   -- Prefixes used within the mesh.
   -- prefix6 is required, prefix4 can be omitted if next_node.ip4
   -- is not set.
diff --git a/docs/user/site.rst b/docs/user/site.rst
index 51b9e78a94b08977cc8b2a41f87e0a719f705315..d82cdd9562e56c836a45feba232ab158863a6364 100644
--- a/docs/user/site.rst
+++ b/docs/user/site.rst
@@ -21,6 +21,17 @@ site_code
     The code of your community. It is good practice to use the TLD of
     your community here.
 
+site_seed
+    32 bytes of random data, encoded in hexadecimal, used to seed other random
+    values specific to the mesh domain. It must be the same for all nodes of one
+    mesh, but should be different for firmwares that are not supposed to mesh with
+    each other.
+
+    The recommended way to generate a value for a new site is:
+    ::
+
+        echo $(hexdump -n 32 -e '1/1 "%02x"' </dev/urandom)
+
 prefix4 \: optional
     The IPv4 Subnet of your community mesh network in CIDR notation, e.g.
     ::
diff --git a/package/gluon-core/check_site.lua b/package/gluon-core/check_site.lua
index d26b16716b69d6f416ca70a2e70bb46adb16d06e..14d102a02f897acb38a226a0c07e965fbd35d32d 100644
--- a/package/gluon-core/check_site.lua
+++ b/package/gluon-core/check_site.lua
@@ -1,5 +1,6 @@
 need_string 'site_code'
 need_string 'site_name'
+need_string_match('site_seed', '^' .. ('%x'):rep(64) .. '$')
 
 if need_table('opkg', nil, false) then
 	need_string('opkg.lede', false)
diff --git a/package/gluon-core/luasrc/usr/lib/lua/gluon/util.lua b/package/gluon-core/luasrc/usr/lib/lua/gluon/util.lua
index 80888c8b15b9ca5db566b9619f9f630f13e7bd95..3829841fd201cd6f8afb27dd1639639d242cc5e3 100644
--- a/package/gluon-core/luasrc/usr/lib/lua/gluon/util.lua
+++ b/package/gluon-core/luasrc/usr/lib/lua/gluon/util.lua
@@ -122,6 +122,22 @@ function node_id()
 	return string.gsub(sysconfig.primary_mac, ':', '')
 end
 
+function site_seed_bytes(key, length)
+	local ret = ''
+	local v = ''
+	local i = 0
+
+	-- Inspired by HKDF key expansion, but much simpler, as we don't need
+	-- cryptographic strength
+	while ret:len() < 2*length do
+		i = i + 1
+		v = hash.md5(v .. key .. site.site_seed .. i)
+		ret = ret .. v
+	end
+
+	return ret:sub(0, 2*length)
+end
+
 function get_mesh_devices(uconn)
 	local dump = uconn:call("network.interface", "dump", {})
 	local devices = {}