Rolling keys without service interuption

Ferris Ellis ferris at
Sat Dec 2 15:12:44 CET 2017


Awesome! That’s exactly what I needed :) I’ll try it out and post a follow up if I have any issues.


> On Dec 2, 2017, at 8:31 AM, Jason A. Donenfeld <Jason at> wrote:
> Hi Ferris,
> Firstly, WireGuard already has forward secrecy, which means every new
> session (negotiated every 2 minutes) has fresh keys that are
> forgotten, so old recorded traffic cannot be compromised.
> It sounds like, however, you want to rotate the long term static
> "identity" keys. This is possible to do gracefully. If you change the
> private key of an interface, it won't actually be used until the next
> handshake occurs, which means you can rollover gracefully. Likewise
> you can add new peers (via public keys) dynamically at runtime. Moving
> a distinct allowed IP from one peer to another is an atomic operation
> as well.
> Hope this helps!
> Regards,
> Jason

More information about the WireGuard mailing list