* Cipher the private key in peers wg0.conf ? [not found] <392763090.3358208.1526475207903.ref@mail.yahoo.com> @ 2018-05-16 12:53 ` reiner otto 2018-05-16 14:06 ` Matthias Urlichs 0 siblings, 1 reply; 3+ messages in thread From: reiner otto @ 2018-05-16 12:53 UTC (permalink / raw) To: wireguard Actually, in wg0.conf the private key is defined in clear text. Which allows dump of physical disk to grab it and to fake this client. Wouldn't it be safer, to cipher the private key somehow ? ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Cipher the private key in peers wg0.conf ? 2018-05-16 12:53 ` Cipher the private key in peers wg0.conf ? reiner otto @ 2018-05-16 14:06 ` Matthias Urlichs 2018-05-16 14:09 ` Antonio Quartulli 0 siblings, 1 reply; 3+ messages in thread From: Matthias Urlichs @ 2018-05-16 14:06 UTC (permalink / raw) To: wireguard On 16.05.2018 14:53, reiner otto wrote: > Actually, in wg0.conf the private key is defined in clear text. Which allows dump of physical disk to grab it > and to fake this client. So? If you have physical access to the peer's (unencrypted) disk you can do anything. Security is over. > Wouldn't it be safer, to cipher the private key somehow ? Where would you store the key for that? If you need that kind of safety, encrypt the whole disk. Securing the private key doesn't help if you can simply subvert the binary that decrypts it. -- -- Matthias Urlichs ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Cipher the private key in peers wg0.conf ? 2018-05-16 14:06 ` Matthias Urlichs @ 2018-05-16 14:09 ` Antonio Quartulli 0 siblings, 0 replies; 3+ messages in thread From: Antonio Quartulli @ 2018-05-16 14:09 UTC (permalink / raw) To: Matthias Urlichs, wireguard [-- Attachment #1.1: Type: text/plain, Size: 950 bytes --] Hi, On 16/05/18 22:06, Matthias Urlichs wrote: > On 16.05.2018 14:53, reiner otto wrote: >> Actually, in wg0.conf the private key is defined in clear text. Which allows dump of physical disk to grab it >> and to fake this client. > So? If you have physical access to the peer's (unencrypted) disk you can > do anything. Security is over. >> Wouldn't it be safer, to cipher the private key somehow ? > Where would you store the key for that? > > If you need that kind of safety, encrypt the whole disk. Securing the > private key doesn't help if you can simply subvert the binary that > decrypts it. I think this can be compared to classic encrypted private keys, where you need to decrypt them (normally with a passphrase) before they can be loaded by the SSL library. Maybe this could just be a feature in the wg tool, which could decrypt the key before pushing it down to the kernel. Cheers, -- Antonio Quartulli [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-05-16 14:09 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <392763090.3358208.1526475207903.ref@mail.yahoo.com> 2018-05-16 12:53 ` Cipher the private key in peers wg0.conf ? reiner otto 2018-05-16 14:06 ` Matthias Urlichs 2018-05-16 14:09 ` Antonio Quartulli
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).