Support FIDO2/CTAP2 security tokens as keystore

Reto reto at
Sun Aug 18 19:09:28 CEST 2019

On Sun, Aug 18, 2019 at 04:22:49PM +0200, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> currently the private key ist stored on HDD which is quite insecure.

What are you referring to?
Why do you consider a HDD insecure?

For starters, storing stuff on a hard disc is certainly not "quite insecure".
Are you aware that you can encrypt discs / partions / files?

Wireguard also allows you to set the private key on the fly, so you can feed it
for example secrets stored in pass (gpg encrypted), which you *can* decrypt with
a yubikey already.

Are you speaking specifically about wg-quick?
In that case the manpage already shows you how to feed wg encrypted secrets

> Or, perhaps it is desirable to store private keys in encrypted form, such as  through
> use of pass(1):
>	PostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)

Of course pass is only an exapmple, use any way of decrypting the secret as you
see fit.

More information about the WireGuard mailing list