From: Reto <reto@labrat.space>
To: wireguard@lists.zx2c4.com
Subject: Re: Support FIDO2/CTAP2 security tokens as keystore
Date: Fri, 23 Aug 2019 08:19:51 +0200 [thread overview]
Message-ID: <20190823061951.yfno7xqln7yfj4xj@feather.localdomain> (raw)
In-Reply-To: <c8accebb-1a7f-7b3e-26b5-2d0b13347fb3@bartschnet.de>
On Thu, Aug 22, 2019 at 10:54:56AM +0200, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> Anyone with access to the running machine or malicious software can read the
> keys on hard-disk.
No. That depends entirely on how you set it up. Permissions are a thing and you
don't need to constantly keep the corresponding storage unlocked either.
> How do you de-crypt the encrypted disk on a headless machine which has to
> reboot autonomously on error conditions?
How do you do that with a security token? It's the same issue really.
Either allow ssh access without the tunnel or use a serial connection or
vitalization thereof to unlock the secret and bring up the vpn.
> The point of security-tokens is you never get access to the private key.
Yes, my point is wg already allows you to do that, so what more do you need?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-08-23 6:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-18 14:22 Support FIDO2/CTAP2 security tokens as keystore Rene 'Renne' Bartsch, B.Sc. Informatics
2019-08-18 17:09 ` Reto
2019-08-22 8:54 ` Rene 'Renne' Bartsch, B.Sc. Informatics
2019-08-23 6:19 ` Reto [this message]
2019-08-24 14:08 ` Matthias Urlichs
2019-08-24 19:01 ` Andreas Karlsson
2019-08-25 19:30 ` Derrick Lyndon Pallas
2019-08-26 14:34 ` Andreas Karlsson
2019-08-30 11:42 Nicolas Stalder
2019-08-30 18:00 ` Phil Hofer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190823061951.yfno7xqln7yfj4xj@feather.localdomain \
--to=reto@labrat.space \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).