Support FIDO2/CTAP2 security tokens as keystore

Andreas Karlsson andreas at
Sat Aug 24 21:01:06 CEST 2019

On 8/24/19 4:08 PM, Matthias Urlichs wrote:
> Anyone with *root* access to the running machine can do that. They also
> can trivially read the kernel memory (if nothing else, by installing a
> module) and walk the kernel data structures to find the private and/or
> shared key.

No, anyone with root access can only get the shared key used for 
encrypting data, not the actual private key. The private key does never 
leave the device.

Does this add enough extra security to be worth it? No idea. I haven't 
worked much with systems like this, only a little bit with SSL and 


More information about the WireGuard mailing list