14 Apr
2024
14 Apr
'24
9:52 a.m.
On 14 April 2024 10:11:01 Alarig Le Lay wrote:
Not directly bitfolk related, but I’m still trying to figure out how to
distribute private keys without people yelling about it being insecure.
Giving an openvpn password via email doesn’t bother so much people,
giving a wg private key does. It’s the same thing at the end, it sets a
VPN up, so I don’t really get the point…
You need the other side to have a private key already, really.
Then you either:
• trust that key directly
• generate a new private key and encrypt it with their existing private key
An alternative, though, if it really really matters: put the key into a
YubiKey. Post it to them. Get the recipient to confirm receipt and that the
serial number matches, then disclose the PIN to the YubiKey. OpenVPN can
load keys via PKCS#11 (apparently).
As for passwords, it's a lot easier to let people set a new password than
to let them set a new private key, so private keys tend to stay set.
Tim