Rolling keys without service interuption
Ferris Ellis
ferris at ferrisellis.com
Sat Dec 2 15:12:44 CET 2017
Jason,
Awesome! That’s exactly what I needed :) I’ll try it out and post a follow up if I have any issues.
Cheers,
Ferris
> On Dec 2, 2017, at 8:31 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> Hi Ferris,
>
> Firstly, WireGuard already has forward secrecy, which means every new
> session (negotiated every 2 minutes) has fresh keys that are
> forgotten, so old recorded traffic cannot be compromised.
>
> It sounds like, however, you want to rotate the long term static
> "identity" keys. This is possible to do gracefully. If you change the
> private key of an interface, it won't actually be used until the next
> handshake occurs, which means you can rollover gracefully. Likewise
> you can add new peers (via public keys) dynamically at runtime. Moving
> a distinct allowed IP from one peer to another is an atomic operation
> as well.
>
> Hope this helps!
>
> Regards,
> Jason
More information about the WireGuard
mailing list