Support FIDO2/CTAP2 security tokens as keystore

Rene 'Renne' Bartsch, B.Sc. Informatics ml at
Thu Aug 22 10:54:56 CEST 2019

Am 18.08.19 um 19:09 schrieb Reto:
> For starters, storing stuff on a hard disc is certainly not "quite 
> insecure".
> Are you aware that you can encrypt discs / partions / files?

Anyone with access to the running machine or malicious software can read 
the keys on hard-disk.

How do you de-crypt the encrypted disk on a headless machine which has 
to reboot autonomously on error conditions?

> Wireguard also allows you to set the private key on the fly, so you can feed it
> for example secrets stored in pass (gpg encrypted), which you *can* decrypt with
> a yubikey already.
> Are you speaking specifically about wg-quick?
> In that case the manpage already shows you how to feed wg encrypted secrets
>> Or, perhaps it is desirable to store private keys in encrypted form, such as  through
>> use of pass(1):
>> 	PostUp = wg set %i private-key <(pass WireGuard/private-keys/%i

The point of security-tokens is you never get access to the private key.

Instead you pass the stream-cipher encrypted with the public key to the 
security token

to be de-crypted by the security token.



More information about the WireGuard mailing list