Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

2-7: Preshared Keys

Wireguard uses asymmetric encryption to protect communications. Asymmetric encryption, as it turns out, may be vulnerable to decryption via quantum computers. This is likely a long ways off, but preparing for post-quantum security now is both simple and prudent. By enriching the asymmetric encryption with a symmetric secret shared between Peers, we can future-proof our Wireguard configuration with minimal effort.

You can create such a secret with the built-in genpsk command.

wg genpsk

That value goes in a PresharedKey directive in the Peer section.

[Peer]
# Other Peer directives...
PresharedKey = 5O9qHryfXWOegiNi6s3tlFjTie7sn1fuPYDtiNo8S5U=

This key must match on complementary Peer entries. Not all members of a network need to (or should) share the same secret, but any two connecting Peers must have matching keys.

These keys should be treated like any other credential, and handled with care. I recommend using a password manager like Bitwarden or Vaultwarden to store and share keys with others.

That’s it! No lab necessary for this small feature, but I wanted to call it out as an additional security measure when setting up Wireguard networks manually.

But we’re now done setting things up manually. In the next section, we’ll use tools built on top of Wireguard to more easily manage our networks and network members.