[retronet] WireGuard terms & filenames…

Grant Taylor gtaylor at tnetconsulting.net
Sun Sep 9 11:21:56 MDT 2018 

I think we should standardize on some terms and file names for security 
sensitive files.

WireGuard had three types of key files.

  · Private Key - Secret key for a WireGuard interface.
  · Public Key - Public key for a WireGuard interface, derived from the 
interface's Private Key.
  · Preshared Key - Optional key to workaround quantum computing.

I propose to use the following names & file extensions:

  · $NODE.key - Node's Private Key. - NEVER SHARED
  · $NODE.pub - Node's Public Key. - Shared with members you want to 
connect to.
  · $NODE.psk - Preshared Key used between two nodes. - ONLY Shared with 
the partner node.

I would like to draw a line in the sand with the file extensions.  My 
intention is to have consistent naming when talking about keys.  I'd 
like to get to a point that if someone accidentally sends their 
$NODE.key file when they should have sent their $NODE.pub file, the 
receiving member(s) will recognize it and call the foul.

I would also like some structure to the base name of the key files. 
This is mainly selfish and does not strictly need to be imposed on all 
members.  That being said, my motivation for it is for the central 
concentrators and members that establish multiple WireGuard VPNs to have 
some semblance of order.

It would even be possible to build a directory structure like the following:

    /etc/wireguard/$NODE0/$NODE0.key
                         /$NODE0.pub
                         /$NODE0.psk
                  /$NODE1/$NODE1.pub
                         /$NODE1.psk
                  /$NODE2/$NODE2.pub
                         /$NODE2.psk
                  /$NODE3/$NODE3.pub
                         /$NODE3.psk
                  /$NODEn/$NODEn.pub
                         /$NODEn.psk
                  /$NODE.key -> /$NODE0/$NODE0.key
                  /$NODE.pub -> /$NODE0/$NODE0.pub
                  /$NODE.psk -> /$NODE0/$NODE0.psk



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.chivanet.org/pipermail/retronet/attachments/20180909/d2bdc3af/attachment.bin>

More information about the retronet mailing list