Am 18.08.19 um 19:09 schrieb Reto:
For starters, storing stuff on a hard disc is certainly not "quite
insecure".
Are you aware that you can encrypt discs / partions / files?
Anyone with access to the running machine or malicious software can read
the keys on hard-disk.
How do you de-crypt the encrypted disk on a headless machine which has
to reboot autonomously on error conditions?
Wireguard also allows you to set the private key on the fly, so you can feed it
for example secrets stored in pass (gpg encrypted), which you *can* decrypt with
a yubikey already.
Are you speaking specifically about wg-quick?
In that case the manpage already shows you how to feed wg encrypted secrets
Or, perhaps it is desirable to store private keys in encrypted form, such as
through
use of pass(1):
PostUp = wg set %i private-key <(pass WireGuard/private-keys/%i
The point of security-tokens is you never get access to the private key.
Instead you pass the stream-cipher encrypted with the public key to the
security token
to be de-crypted by the security token.
Regards,
Renne
_______________________________________________
WireGuard mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/wireguard
