Key distribution and rotation tools?

Jason A. Donenfeld Jason at
Wed May 23 00:06:03 CEST 2018

On Tue, May 22, 2018 at 3:42 PM, Giacomo Bernardi <mino at> wrote:
> rotate pre-shared secrets by design [1].

Ahh, my apologies, I read "pre-shared" and assumed you were talking
about PSK mode. But I think you're really interested in more general
key distribution.

Some people are just doing this over TLS with basic rest APIs
beforehand. Other people are distributing keys with their ansible
deployments. Others are using pre-existing channels like SSH or LDAP.
Some people think it's a nice idea to stick it in DNS with DNSSEC.
There's a project out there called 'wireguard-p2p' that does this with
a DHT.

Because the WireGuard CLI is pretty simple, it seems that different
parties doing this tend to just use simple context-specific scripts
for automating this, rather than forming a project that's reusable. To
me, that seems like mostly a good thing -- our tools are basic enough
that people don't need to run three gigabyte large enterprise java
daemons to manage it. On the other hand, I'm sure we could all benefit
from having some nice templated possibilities out there, either in
contrib/examples/ or even as their own project.

If anybody is interested in working on this kind of thing, get in touch!

More information about the WireGuard mailing list