Key Management / Rotation and Monitoring

Adam Weiss adam at
Wed Dec 9 04:18:45 CET 2020

Hi All,

I've been following some recent threads regarding real life
deployments of WireGuard and it got me thinking about key management,
rotation and monitoring.  Due to the seamless support for roaming
built into WireGuard these concerns are greater than typical setups as
a stolen key can be used seamlessly alongside its legitimate user.

In the interest of understanding best practices for secure deployment
of WireGuard and possibly identifying use cases for another project
that could aim to solve these issues, I'm curious:

1) What are people doing to get keys onto their endpoints?

2) What are people doing to rotate those keys regularly?

3) What sorts of monitoring have people constructed to try and detect
multiple users of the same key (I'm not sure how possible this is
today with the current WG releases, it's been a while since I've
looked closely at the project so please forgive me if this question is
nonsensical at this time).

Looking forward to any responses.


More information about the WireGuard mailing list