From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: me.kalin@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 79d8bdcc for ; Fri, 10 Aug 2018 16:27:10 +0000 (UTC) Received: from mail-oi0-x233.google.com (mail-oi0-x233.google.com [IPv6:2607:f8b0:4003:c06::233]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 8423f8ab for ; Fri, 10 Aug 2018 16:27:10 +0000 (UTC) Received: by mail-oi0-x233.google.com with SMTP id d189-v6so16843029oib.6 for ; Fri, 10 Aug 2018 09:38:33 -0700 (PDT) MIME-Version: 1.0 References: <20180810200346.0e9646ac@natsu> <1dfc3b75-5737-0961-ba41-81d07e1e5c14@pobox.com> In-Reply-To: <1dfc3b75-5737-0961-ba41-81d07e1e5c14@pobox.com> From: Kalin KOZHUHAROV Date: Fri, 10 Aug 2018 19:38:19 +0300 Message-ID: Subject: Re: Reflections on WireGuard Design Goals To: Brian Candler Content-Type: multipart/alternative; boundary="000000000000cd249a0573175ff9" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --000000000000cd249a0573175ff9 Content-Type: text/plain; charset="UTF-8" On Fri, 10 Aug 2018, 19:04 Brian Candler, wrote: > On 10/08/2018 16:03, Roman Mamedov wrote: > > But I'd feel a lot happier if a second level of authentication were > required to establish a wireguard connection, if no packets had been > flowing for more than a configurable amount of time - say, an hour. It > would give some comfort around lost/stolen devices. > > Couldn't you just encrypt your home directory? Or even the root FS entirely. > Either of those should be a must on a portable device storing valuable > information. > > But by analogy, would you say that SSH keys and PGP keys don't need > protection by a passphrase? > Yes, I will say so. I (almost) never use it, it is either too unsecure yet cumbersome, so I use separate devices (nFA), encrypted FS, etc. where needed. Or nothing at all. Kalin. --000000000000cd249a0573175ff9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, = 10 Aug 2018, 19:04 Brian Candler, <b.candler@pobox.com> wrote:
On 10/08/2018 16:03= , Roman Mamedov wrote:
But I'd feel a lot happier if a second level of authentica=
tion were=20
required to establish a wireguard connection, if no packets had been=20
flowing for more than a configurable amount of time - say, an hour. It=20
would give some comfort around lost/stolen devices.

Couldn't you just encrypt your home directory? Or even the r=
oot FS entirely.
Either of those should be a must on a portable device storing valuable
information.

But by analogy, would you say that SSH keys and PGP keys don't need protection by a passphrase?

Yes, I will say so. I (almost) never use it, it is either t= oo unsecure yet cumbersome, so I use separate devices (nFA), encrypted FS, = etc. where needed. Or nothing at all.

Kalin.
--000000000000cd249a0573175ff9--