[WireGuard] Suggestion: Hide private key by default with wg tool

Bin Jin bjin at ctrl-d.org
Tue Jul 26 22:51:56 CEST 2016

Hello Jason,

I think there is a potential security issue regarding the use of "wg"
tool. By default "wg" will print the private keys in plain text to the
console. This isn't going to be a big issue in general, but if I was
showing my friend how to use wireguard, or using my computer in public
places with surveillance camera, without a option to hide private keys
I would very likely get my private keys compromised. IIUC, compromise
of private key won't have security impact assuming a passive attacker,
and an active attacker needs to have private keys from both side to
perform a MitM attack. But nonetheless, I think this could be fixed
very easily, to avoid actual potential security compromise.

Considering that most people would probably type "wg" without any
further options that explicitly hide all private keys (either without
the knowledge of the option, or by accident). I would suggest to hide
the private key by default (showing some text like "(private key
hidden by default)" instead), and add an option to allow user to
explicitly showing the private key like "--show-private-keys".



More information about the WireGuard mailing list