[PATCH] wg: add PrivateKeyFile and PresharedKeyFile configuration options

Tony Finch dot at dotat.at
Tue Apr 30 12:26:30 UTC 2024 

The command line and config file usages can be more consistent when
they refer to the private key in the same way. Separate key files
allow an operator to view and edit the configuration file without
exposing secrets. It becomes much easier to share configurations when
they don't need to be redacted. Secrets can be kept encrypted at rest
without also encrypting non-secret parts of the config or resorting to
templating hacks.

Signed-off-by: Tony Finch <dot at dotat.at>
---
 src/config.c |  8 ++++++++
 src/man/wg.8 | 13 ++++++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git src/config.c src/config.c
index 9f15477..6e18129 100644
--- src/config.c
+++ src/config.c
@@ -450,6 +450,10 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 			ret = parse_key(ctx->device->private_key, value);
 			if (ret)
 				ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY;
+		} else if (key_match("PrivateKeyFile")) {
+			ret = parse_keyfile(ctx->device->private_key, value);
+			if (ret)
+				ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY;
 		} else
 			goto error;
 	} else if (ctx->is_peer_section) {
@@ -467,6 +471,10 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 			ret = parse_key(ctx->last_peer->preshared_key, value);
 			if (ret)
 				ctx->last_peer->flags |= WGPEER_HAS_PRESHARED_KEY;
+		} else if (key_match("PresharedKeyFile")) {
+			ret = parse_keyfile(ctx->last_peer->preshared_key, value);
+			if (ret)
+				ctx->last_peer->flags |= WGPEER_HAS_PRESHARED_KEY;
 		} else
 			goto error;
 	} else
diff --git src/man/wg.8 src/man/wg.8
index 7984539..f1a8d6e 100644
--- src/man/wg.8
+++ src/man/wg.8
@@ -132,7 +132,11 @@ only one \fIInterface\fP section may be specified.
 .P
 The \fIInterface\fP section may contain the following fields:
 .IP \(bu
-PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. Required.
+PrivateKey \(em a base64 private key generated by \fIwg genkey\fP.
+.IP \(bu
+PrivateKeyFile \(em name of a file containing a private key.
+.IP
+Either PrivateKey or PrivateKeyFile are required.
 .IP \(bu
 ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen
 randomly.
@@ -146,11 +150,14 @@ PublicKey \(em a base64 public key calculated by \fIwg pubkey\fP from a
 private key, and usually transmitted out of band to the author of the
 configuration file. Required.
 .IP \(bu
-PresharedKey \(em a base64 preshared key generated by \fIwg genpsk\fP. Optional,
-and may be omitted. This option adds an additional layer of symmetric-key
+PresharedKey \(em a base64 preshared key generated by \fIwg genpsk\fP. Optional.
+This option adds an additional layer of symmetric-key
 cryptography to be mixed into the already existing public-key cryptography,
 for post-quantum resistance.
 .IP \(bu
+PresharedKeyFile \(em name of a file containing a preshared key.
+Optional alternative to PresharedKey.
+.IP \(bu
 AllowedIPs \(em a comma-separated list of IP (v4 or v6) addresses with
 CIDR masks from which incoming traffic for this peer is allowed and to
 which outgoing traffic for this peer is directed. The catch-all
-- 
2.39.2

More information about the WireGuard mailing list