[PATCH] wg: Allow config to read private key from file

Daniel Gröber dxld at darkboxed.org
Sun Nov 20 22:46:01 UTC 2022

This adds a new config key PrivateKeyFile= that simply hooks up the
existing code for the `wg set ... private-key /file` codepath.

Using this new option the interface configs can be much easier to deploy in
an automated fashion as they don't contain secrets anymore. The private key
can easily be provisioned out of band or using a one-time provisioning step

Before this patch we were using a neat hack: it's possible to simply omit
PrivateKey= and set it using PostUp= wg set %i private-key /some/file.
However this breaks when we try to use setconf or synconf as
they will (rightly) unset the private key instead of leaving it as-is.
 src/config.c | 4 ++++
 src/man/wg.8 | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/src/config.c b/src/config.c
index e8db900..49cbb07 100644
--- a/src/config.c
+++ b/src/config.c
@@ -464,6 +464,10 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 			ret = parse_key(ctx->device->private_key, value);
 			if (ret)
 				ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY;
+		} else if (key_match("PrivateKeyFile")) {
+			ret = parse_keyfile(ctx->device->private_key, value);
+			if (ret)
+				ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY;
 		} else
 			goto error;
 	} else if (ctx->is_peer_section) {
diff --git a/src/man/wg.8 b/src/man/wg.8
index fd9fde7..1d37338 100644
--- a/src/man/wg.8
+++ b/src/man/wg.8
@@ -134,6 +134,8 @@ The \fIInterface\fP section may contain the following fields:
 .IP \(bu
 PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. Required.
 .IP \(bu
+PrivateKeyFile \(em path to a file containing base64 private key. May be used instead of \fIPrivateKey\fP. Optional.
+.IP \(bu
 ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen
 .IP \(bu

More information about the WireGuard mailing list