Support FIDO2/CTAP2 security tokens as keystore
Rene 'Renne' Bartsch, B.Sc. Informatics
ml at bartschnet.de
Thu Aug 22 10:54:56 CEST 2019
Am 18.08.19 um 19:09 schrieb Reto:
> For starters, storing stuff on a hard disc is certainly not "quite
> insecure".
> Are you aware that you can encrypt discs / partions / files?
Anyone with access to the running machine or malicious software can read
the keys on hard-disk.
How do you de-crypt the encrypted disk on a headless machine which has
to reboot autonomously on error conditions?
> Wireguard also allows you to set the private key on the fly, so you can feed it
> for example secrets stored in pass (gpg encrypted), which you *can* decrypt with
> a yubikey already.
>
> Are you speaking specifically about wg-quick?
> In that case the manpage already shows you how to feed wg encrypted secrets
>
>> Or, perhaps it is desirable to store private keys in encrypted form, such as through
>> use of pass(1):
>> PostUp = wg set %i private-key <(pass WireGuard/private-keys/%i
The point of security-tokens is you never get access to the private key.
Instead you pass the stream-cipher encrypted with the public key to the
security token
to be de-crypted by the security token.
Regards,
Renne
More information about the WireGuard
mailing list