* Cipher the private key in peers wg0.conf ?
[not found] <392763090.3358208.1526475207903.ref@mail.yahoo.com>
@ 2018-05-16 12:53 ` reiner otto
2018-05-16 14:06 ` Matthias Urlichs
0 siblings, 1 reply; 3+ messages in thread
From: reiner otto @ 2018-05-16 12:53 UTC (permalink / raw)
To: wireguard
Actually, in wg0.conf the private key is defined in clear text. Which allows dump of physical disk to grab it
and to fake this client.
Wouldn't it be safer, to cipher the private key somehow ?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Cipher the private key in peers wg0.conf ?
2018-05-16 12:53 ` Cipher the private key in peers wg0.conf ? reiner otto
@ 2018-05-16 14:06 ` Matthias Urlichs
2018-05-16 14:09 ` Antonio Quartulli
0 siblings, 1 reply; 3+ messages in thread
From: Matthias Urlichs @ 2018-05-16 14:06 UTC (permalink / raw)
To: wireguard
On 16.05.2018 14:53, reiner otto wrote:
> Actually, in wg0.conf the private key is defined in clear text. Which allows dump of physical disk to grab it
> and to fake this client.
So? If you have physical access to the peer's (unencrypted) disk you can
do anything. Security is over.
> Wouldn't it be safer, to cipher the private key somehow ?
Where would you store the key for that?
If you need that kind of safety, encrypt the whole disk. Securing the
private key doesn't help if you can simply subvert the binary that
decrypts it.
--
-- Matthias Urlichs
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Cipher the private key in peers wg0.conf ?
2018-05-16 14:06 ` Matthias Urlichs
@ 2018-05-16 14:09 ` Antonio Quartulli
0 siblings, 0 replies; 3+ messages in thread
From: Antonio Quartulli @ 2018-05-16 14:09 UTC (permalink / raw)
To: Matthias Urlichs, wireguard
[-- Attachment #1.1: Type: text/plain, Size: 950 bytes --]
Hi,
On 16/05/18 22:06, Matthias Urlichs wrote:
> On 16.05.2018 14:53, reiner otto wrote:
>> Actually, in wg0.conf the private key is defined in clear text. Which allows dump of physical disk to grab it
>> and to fake this client.
> So? If you have physical access to the peer's (unencrypted) disk you can
> do anything. Security is over.
>> Wouldn't it be safer, to cipher the private key somehow ?
> Where would you store the key for that?
>
> If you need that kind of safety, encrypt the whole disk. Securing the
> private key doesn't help if you can simply subvert the binary that
> decrypts it.
I think this can be compared to classic encrypted private keys, where
you need to decrypt them (normally with a passphrase) before they can be
loaded by the SSL library.
Maybe this could just be a feature in the wg tool, which could decrypt
the key before pushing it down to the kernel.
Cheers,
--
Antonio Quartulli
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-05-16 14:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <392763090.3358208.1526475207903.ref@mail.yahoo.com>
2018-05-16 12:53 ` Cipher the private key in peers wg0.conf ? reiner otto
2018-05-16 14:06 ` Matthias Urlichs
2018-05-16 14:09 ` Antonio Quartulli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).