Cipher the private key in peers wg0.conf ?

Matthias Urlichs matthias at
Wed May 16 16:06:46 CEST 2018

On 16.05.2018 14:53, reiner otto wrote:
> Actually, in wg0.conf the private key is defined in clear text. Which allows dump of physical disk to grab it
> and to fake this client.
So? If you have physical access to the peer's (unencrypted) disk you can
do anything. Security is over.
> Wouldn't it be safer, to cipher the private key somehow ?
Where would you store the key for that?

If you need that kind of safety, encrypt the whole disk. Securing the
private key doesn't help if you can simply subvert the binary that
decrypts it.

-- Matthias Urlichs

More information about the WireGuard mailing list