Hi, On 16/05/18 22:06, Matthias Urlichs wrote: > On 16.05.2018 14:53, reiner otto wrote: >> Actually, in wg0.conf the private key is defined in clear text. Which allows >> dump of physical disk to grab it >> and to fake this client. > So? If you have physical access to the peer's (unencrypted) disk you can > do anything. Security is over. >> Wouldn't it be safer, to cipher the private key somehow ? > Where would you store the key for that? > > If you need that kind of safety, encrypt the whole disk. Securing the > private key doesn't help if you can simply subvert the binary that > decrypts it.
I think this can be compared to classic encrypted private keys, where you need to decrypt them (normally with a passphrase) before they can be loaded by the SSL library. Maybe this could just be a feature in the wg tool, which could decrypt the key before pushing it down to the kernel. Cheers, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
_______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
