Cipher the private key in peers wg0.conf ?

Antonio Quartulli a at
Wed May 16 16:09:54 CEST 2018


On 16/05/18 22:06, Matthias Urlichs wrote:
> On 16.05.2018 14:53, reiner otto wrote:
>> Actually, in wg0.conf the private key is defined in clear text. Which allows dump of physical disk to grab it
>> and to fake this client.
> So? If you have physical access to the peer's (unencrypted) disk you can
> do anything. Security is over.
>> Wouldn't it be safer, to cipher the private key somehow ?
> Where would you store the key for that?
> If you need that kind of safety, encrypt the whole disk. Securing the
> private key doesn't help if you can simply subvert the binary that
> decrypts it.

I think this can be compared to classic encrypted private keys, where
you need to decrypt them (normally with a passphrase) before they can be
loaded by the SSL library.

Maybe this could just be a feature in the wg tool, which could decrypt
the key before pushing it down to the kernel.


Antonio Quartulli

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the WireGuard mailing list