Support FIDO2/CTAP2 security tokens as keystore

Reto reto at
Fri Aug 23 08:19:51 CEST 2019

On Thu, Aug 22, 2019 at 10:54:56AM +0200, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> Anyone with access to the running machine or malicious software can read the
> keys on hard-disk.

No. That depends entirely on how you set it up. Permissions are a thing and you
don't need to constantly keep the corresponding storage unlocked either.

> How do you de-crypt the encrypted disk on a headless machine which has to
> reboot autonomously on error conditions?

How do you do that with a security token? It's the same issue really.
Either allow ssh access without the tunnel or use a serial connection or
vitalization thereof to unlock the secret and bring up the vpn.

> The point of security-tokens is you never get access to the private key.

Yes, my point is wg already allows you to do that, so what more do you need?

More information about the WireGuard mailing list