Support FIDO2/CTAP2 security tokens as keystore

Derrick Lyndon Pallas derrick at
Sun Aug 25 21:30:09 CEST 2019

The private key is in kernel memory and is available via netlink and cli.

~Derrick • iPhone

> On Aug 24, 2019, at 12:01 PM, Andreas Karlsson <andreas at> wrote:
>> On 8/24/19 4:08 PM, Matthias Urlichs wrote:
>> Anyone with *root* access to the running machine can do that. They also
>> can trivially read the kernel memory (if nothing else, by installing a
>> module) and walk the kernel data structures to find the private and/or
>> shared key.
> No, anyone with root access can only get the shared key used for encrypting data, not the actual private key. The private key does never leave the device.
> Does this add enough extra security to be worth it? No idea. I haven't worked much with systems like this, only a little bit with SSL and SmartCards.
> Andreas
> _______________________________________________
> WireGuard mailing list
> WireGuard at

More information about the WireGuard mailing list