From: "Rene 'Renne' Bartsch, B.Sc. Informatics" <ml@bartschnet.de>
To: wireguard@lists.zx2c4.com
Subject: Re: Support FIDO2/CTAP2 security tokens as keystore
Date: Thu, 22 Aug 2019 10:54:56 +0200 [thread overview]
Message-ID: <c8accebb-1a7f-7b3e-26b5-2d0b13347fb3@bartschnet.de> (raw)
In-Reply-To: <20190818170928.ps2fymkisd4giefv@feather.localdomain>
Am 18.08.19 um 19:09 schrieb Reto:
> For starters, storing stuff on a hard disc is certainly not "quite
> insecure".
> Are you aware that you can encrypt discs / partions / files?
Anyone with access to the running machine or malicious software can read
the keys on hard-disk.
How do you de-crypt the encrypted disk on a headless machine which has
to reboot autonomously on error conditions?
> Wireguard also allows you to set the private key on the fly, so you can feed it
> for example secrets stored in pass (gpg encrypted), which you *can* decrypt with
> a yubikey already.
>
> Are you speaking specifically about wg-quick?
> In that case the manpage already shows you how to feed wg encrypted secrets
>
>> Or, perhaps it is desirable to store private keys in encrypted form, such as through
>> use of pass(1):
>> PostUp = wg set %i private-key <(pass WireGuard/private-keys/%i
The point of security-tokens is you never get access to the private key.
Instead you pass the stream-cipher encrypted with the public key to the
security token
to be de-crypted by the security token.
Regards,
Renne
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-08-22 8:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-18 14:22 Support FIDO2/CTAP2 security tokens as keystore Rene 'Renne' Bartsch, B.Sc. Informatics
2019-08-18 17:09 ` Reto
2019-08-22 8:54 ` Rene 'Renne' Bartsch, B.Sc. Informatics [this message]
2019-08-23 6:19 ` Reto
2019-08-24 14:08 ` Matthias Urlichs
2019-08-24 19:01 ` Andreas Karlsson
2019-08-25 19:30 ` Derrick Lyndon Pallas
2019-08-26 14:34 ` Andreas Karlsson
2019-08-30 11:42 Nicolas Stalder
2019-08-30 18:00 ` Phil Hofer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c8accebb-1a7f-7b3e-26b5-2d0b13347fb3@bartschnet.de \
--to=ml@bartschnet.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).