Support FIDO2/CTAP2 security tokens as keystore
Andreas Karlsson
andreas at proxel.se
Sat Aug 24 21:01:06 CEST 2019
On 8/24/19 4:08 PM, Matthias Urlichs wrote:
> Anyone with *root* access to the running machine can do that. They also
> can trivially read the kernel memory (if nothing else, by installing a
> module) and walk the kernel data structures to find the private and/or
> shared key.
No, anyone with root access can only get the shared key used for
encrypting data, not the actual private key. The private key does never
leave the device.
Does this add enough extra security to be worth it? No idea. I haven't
worked much with systems like this, only a little bit with SSL and
SmartCards.
Andreas
More information about the WireGuard
mailing list