wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
From: Reto <reto@labrat.space>
To: wireguard@lists.zx2c4.com
Subject: Re: Support FIDO2/CTAP2 security tokens as keystore
Date: Fri, 23 Aug 2019 08:19:51 +0200	[thread overview]
Message-ID: <20190823061951.yfno7xqln7yfj4xj@feather.localdomain> (raw)
In-Reply-To: <c8accebb-1a7f-7b3e-26b5-2d0b13347fb3@bartschnet.de>

On Thu, Aug 22, 2019 at 10:54:56AM +0200, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> Anyone with access to the running machine or malicious software can read the
> keys on hard-disk.

No. That depends entirely on how you set it up. Permissions are a thing and you
don't need to constantly keep the corresponding storage unlocked either.

> How do you de-crypt the encrypted disk on a headless machine which has to
> reboot autonomously on error conditions?

How do you do that with a security token? It's the same issue really.
Either allow ssh access without the tunnel or use a serial connection or
vitalization thereof to unlock the secret and bring up the vpn.

> The point of security-tokens is you never get access to the private key.

Yes, my point is wg already allows you to do that, so what more do you need?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

  reply	other threads:[~2019-08-23  6:20 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-18 14:22 Support FIDO2/CTAP2 security tokens as keystore Rene 'Renne' Bartsch, B.Sc. Informatics
2019-08-18 17:09 ` Reto
2019-08-22  8:54   ` Rene 'Renne' Bartsch, B.Sc. Informatics
2019-08-23  6:19     ` Reto [this message]
2019-08-24 14:08     ` Matthias Urlichs
2019-08-24 19:01       ` Andreas Karlsson
2019-08-25 19:30         ` Derrick Lyndon Pallas
2019-08-26 14:34           ` Andreas Karlsson
2019-08-30 11:42 Nicolas Stalder
2019-08-30 18:00 ` Phil Hofer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190823061951.yfno7xqln7yfj4xj@feather.localdomain \
    --to=reto@labrat.space \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).