Wireguard Pre-Shared key Purpose?


It's been quite a few days since I started analysing on Wireguard's pre-shared key.
As per Wireguard documentation and other sources(https://www.procustodibus.com/blog/2021/09/wireguard-key-rotation/#why-rotate-wireguard-keys) I came to know that the Pre-shared key is an optional parameter for encrypting Wireguard traffic.

I would like to know,

  1. How the Pre-shared key is used in Wiregaurd encryption?
  2. For Wireguard key rotation, rotating the pre-shared key is best (or) rotating the Private & Public key pair is best?

Thanks in Advance.

If an additional layer of symmetric-key crypto is required (for, say, post-quantum resistance), WireGuard also supports an optional pre-shared key that is mixed into the public key cryptography

~ from : https://www.wireguard.com/protocol/

See also: https://en.wikipedia.org/wiki/Post-quantum_cryptography

~ https://crypto.stackexchange.com/questions/41796/whats-the-purpose-of-key-rotation

BTW, you cannot change a public key without changing the private, and vice versa, meaning the method of identifying your peer changes.


BTW, you cannot change a public key without changing the private, and vice versa, meaning the method of identifying your peer changes.

Yeah, So I have figured out a couple of possibilities for rotating the Wireguard key(s),

  1. By modifying the Private & Public key pair in both peers.
  2. By rotating only the Pre-shared key in both peers.

Of these which option can go with for efficient Wireguard key rotation,

OK...you asked this already.

If it wasn't clear that changing the public peer seem troublesome since it changes its ID (IMHO), you'll have to decide which one you prefer. I don't know what you mean by "efficient".

Also, you forgot 3:

  1. Change both 1 and 2

(I'm getting a feeling this is about to enter tin foil hat mode.)

Your questions assume you control both peers anyway.

Got it :+1:

I should also note that the public/private keys are interface-wide (all peers). The pre shared key can be changed per peer.

Yes, exactly. Tats why I have thought of using the Preshared key for rotation.

1 Like

But If I perform Wireguard key rotation only with a pre-shared key, Will it be efficient enough in the security aspect?

If you plan to ask the same questions three times, perhaps you could explain what "efficient" means to you?

Stopping attacks against quantum computers that haven't been built for production yet, while modern machines would take thousands of years seems "well suited" to secure...so I'm confused on what you're asking.

Did you read the information I provided in Post No. 2?

Actually, I thought of getting a confirmation

A pre-shared key is the secret, if someone intercepts it while you are sending it to a peer they have what they need to decrypt the communication.

When you rotate public-private keys each peer generates a new private key and keeps it secret. Only the public key needs to be sent to the other peer(s). It isn't necessary to keep a public key secret since it is only useful when combined with the private key.

Isn’t it the same as in OpenVPN that the PSK only makes the handshake for the asymmetric crypto is the fog and quantum computers sucks at symetric cryptos. And there you have the “poor mans hand quantum protection”.
So even if you have the PSK you still need to crack the asymetric crypto with the quantum computer.

1 Like