Public & Private Keys | Pro Custodibus Documentation (2024)

Each peer in a WireGuard network has a unique public-key pair (aka “public-private key pair”, “asymmetric key pair”, or just “key pair”), which is used both to uniquely identify the peer, as well as to encrypt communication with the peer.

A public-key pair is composed of two parts: a public key, and a private key (aka “secret key”). WireGuard uses X25519 (aka Curve25519) key pairs, where both the public key and the private key are 256-bit values. The public key can be calculated trivially from the private key (which is why if you know the private key, you typically store only the private key, and not both parts of the pair).

There is no practical way of calculating the private key from the public key, so the public key may be shared freely without compromising the secrecy of the private key. The security of a WireGuard connection depends solely on keeping the private key secret.

When configuring WireGuard, you should supply keys in base64-encoded form. When base64 encoded, both the public key and the private key will appear as 44 alphanumeric characters, ending with an equals sign.

On Linux, you can generate a random private key with the following WireGuard command:

$ wg genkeyyAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=

And you can calculate the matching public key for a private key using the following WireGuard command:

$ echo yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= | wg pubkeyHIgo9xNzJMWLKASsh*tqIybxZ0U3wGLiUeJ1PKf8ykw=

Peer Identity

The public key of a WireGuard public-key pair uniquely identifies a peer. All peers that can connect to a given peer identify the peer by its public key. Only the peer itself knows its own private key, however. A peer can cryptographically prove that it knows the private key matching its public key, without revealing the private key, thereby proving its identity.

In Pro Custodibus, we often use the term “Peer Identity”, or just “Peer”, as a synonym for “Public-Key Pair”. A peer has a unique public-key pair, and the public key of this pair globally and uniquely identifies the peer.

Each WireGuard interface is configured with its own peer identity, using the private key of the peer, representing the peer locally on the host on which the interface resides. It’s also configured with the peer identities of the multiple other peers to which it can connect, using the public keys of those other peers, representing those peers as remote endpoints of the interface.

In general, each WireGuard interface should have its own, globally unique, peer identity — in other words, you shouldn’t set up a new interface with a peer identity used anywhere else. There are some exceptions to this rule (such as when running redundant WireGuard gateways in certain high-availability scenarios), but the best practice is to use a given peer identity to configure just one WireGuard interface on just one WireGuard host.

Bulk Rotation

To rotate a public-key pair (ie peer identity) the easy way, follow these steps:

Navigate to the main page for the peer.
Click the “certificate” icon on the right side of the Peer panel.
Click the Rotate Key Pair button at the bottom of the Manage Key Pair panel.
Click the OK button in the “Rotate Key Pair” confirmation dialog.

A new public-key pair will be generated for you, and changes queued to update each interface and endpoint that used the old key pair (this may take a few seconds if the peer identity was used by many endpoints). When all the changes have been queued, the page will reload to display the new peer identity, and list the queued changes.

Each connection using the peer will be interrupted until the key rotation process has completed on both sides of the connection. On monitored hosts, this should take less than two minutes.

If one side of the connection is not to a monitored host, you will have to update that side manually with the new key pair. See the Manual Rotation section for details.

Manual Rotation

When you use the Bulk Rotation tool to rotate the public-key pair of a connection between a monitored host and an unmonitored host, you will have to manually update the rotated key on the unmonitored host.

Such hosts will have a blank (or old) “Last Ping” value in the Peer Connections panel (and the host, interface, and endpoint columns also may be blank). For each such connection where the unmonitored host is the “Peer’s Host”, listed on the left side of the Peer Connection panel, follow these steps:

Copy the value from the Private Key field of the Manage Key Pair panel (click the “eye” icon to reveal this value), and transfer it to the unmonitored host (for example, SSH into the unmonitored host, or send a secure message to a colleague who has physical access to the unmonitored host).
On the unmonitored host, open the WireGuard configuration for the host, and paste the transferred private key into the PrivateKey setting for the interface.
Save the WireGuard configuration change, and restart WireGuard on the unmonitored host.

For each such connection where the unmonitored host is the “Other Host”, listed on the right side of the Peer Connection panel, follow these steps:

Copy the value of the Public Key field of the Manage Key Pair panel and transfer it to the unmonitored host (for example, SSH into the unmonitored host, or send a secure message to a colleague who has physical access to the unmonitored host).
On the unmonitored host, open the WireGuard configuration for the host, and paste the transferred public key into the PublicKey setting for the [Peer] entry that represents the endpoint to the monitored host.
Save the WireGuard configuration change, and restart WireGuard on the unmonitored host.

To perform these manual steps, you will need to either have physical access to the unmonitored host, or have a remote connection to the unmonitored host that isn’t itself tunneled through a WireGuard connection which you’re in the process of updating (for example, an SSH connection to the unmonitored host that doesn’t go through WireGuard, or an RDP connection through WireGuard to the unmonitored from a host other than the monitored host, etc).

Public & Private Keys | Pro Custodibus Documentation (2024)

FAQs

What is public key and private key with an example? ›

The public key is used to encrypt the data, while the private key, which is securely stored on the recipient's device, is used to decrypt the data. This asymmetric encryption ensures that only the intended recipient can access and read the encrypted information, even if the data passes through unsecured networks.

Know More ›

What is the difference between public and private key certificates? ›

The email sender uses their private key to sign the email, and the recipient uses the sender's public key (obtained from the public certificate) to verify the signature. For encryption, the sender uses the recipient's public key to encrypt the email, and the recipient uses their private key to decrypt it.

Discover More Details ›

Which statement is true about private and public keys? ›

The public key is used to encrypt data, while the private key is used to decrypt it. The correct statements about public and private key pairs are: Public and private keys work in conjunction with each other as a team. The public key is used to encrypt data, and the corresponding private key is used to decrypt it.

What is an example of a private key? ›

Private key encryption is often used to encrypt data stored or transmitted between two parties. For example, when you log in to a website using a username and password, the password is often encrypted using a private key before it is transmitted to the web server.

Learn More ›

How do private key and public key work? ›

Public key cryptography is a method of encrypting or signing data with two different keys and making one of the keys, the public key, available for anyone to use. The other key is known as the private key. Data encrypted with the public key can only be decrypted with the private key.

Learn More ›

How do I find my public key? ›

Command Prompt (for Windows 10 only)

Open Command Prompt or Windows PowerShell.
Issue the command: ssh-keygen.
To view public key, navigate to C:\Users\<username>/.ssh/id_rsa.pub (see image below) or execute this command in the command prompt: more C:\Users\<username>/.ssh/id_rsa.pub.

Sep 13, 2022

Keep Reading ›

Where do I find my private keys? ›

Locating a private key in Windows

Open Microsoft Management Console.
In the Console Root, expand Certificates (Local Computer)
Locate the certificate in the Personal or Web Server folder.
Right click the certificate.
Select Export.
Follow the guided wizard.

Aug 19, 2022

Get More Info Here ›

What is a public key private key for dummies? ›

One, the public key, is shared widely with anyone you might like to connect with in the future. The other, the private key, is closely protected and known only to you. Algorithms develop the keys. While they're related to one another, they can't be used to decode one another.

Does a certificate contain both public and private key? ›

In summary, certificates are files with a public key and a set of information of its respective private key owner. So, to guarantee correctness and authenticity, certificates are checked and made available by certificate authorities. Of course, we need to trust the certificate authority that hom*ologates a certificate.

Get More Info ›

Why is public key better than private key? ›

The public key is available to anyone who wants to send an encrypted message to the owner of the private key. It is used to encrypt the data and can be shared freely. The private key, conversely, is kept secret and is used to decrypt the encrypted message.

Keep Reading ›

Can you decrypt with a public key? ›

The power of public key encryption is in that mathematical operation. It's a "one-way function", which means it's incredibly difficult for a computer to reverse the operation and discover the original data. Even the public key cannot be used to decrypt the data.

Explore More ›

Are public and private keys the same in a public key encryption scheme? ›

Public-key cryptography is any cryptographic system that uses pairs of keys. Public keys may be distributed and paired with private keys which are known only to the owner. Since the public and private keys are given by the owner, no third parties should be held accountable for the security of the information.

Know More ›

What is a public key with an example? ›

Public keys are important because they help protect sensitive information and send it securely. For example, imagine sending a confidential letter that's only intended for the recipient, you might consider sending the letter in a locked box, but you would also have to send the key.

Get More Info Here ›

What is a real life example of a public key? ›

Despite its theoretical and potential problems, Public key infrastructure is widely used. Examples include TLS and its predecessor SSL, which are commonly used to provide security for web browser transactions (for example, most websites utilize TLS for HTTPS).

Discover More Details ›

What is a public key in simple terms? ›

In cryptography, a public key is a large numerical value that is used to encrypt data. The key can be generated by a software program, but more often, it is provided by a trusted, designated authority and made available to everyone through a publicly accessible repository or directory.

Show Me More ›

What is a private key in simple terms? ›

Definition: A private key, also known as a secret key, is a mathematical key (kept secret by the holder) used to create digital signatures and, depending on the algorithm, to decrypt messages or files encrypted (for confidentiality) with the corresponding public key.