Rosenpass: Difference between revisions

(4 intermediate revisions by the same user not shown)

Line 1:

[https://rosenpass.eu// Rosenpass] implements a post-quantum-secure key exchange for use with e.g. [[WireGuard]].

[https://rosenpass.eu/ Rosenpass] implements a post-quantum-secure key exchange for use with e.g. [[WireGuard]].

=Setting up Rosenpass=

Line 20:

We will first need to generate and then distribute the keypairs.

Creating the key pairs is simple:

Creating the key pairs is simple, but to do this securely, it should happen on the respective hosts.

This way it becomes a bit elaborate to distribute the public keys to the other respective peer:

~~nix~~-~~shell~~ -p ~~rosenpass wireguard~~-~~tools~~

ssh root@server "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"

mkdir ~~keys~~ && ~~cd keys~~

ssh root@client "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"

~~# keys for Rosenpass~~

ssh root@server "cd /var/secrets/rp && rosenpass gen-keys --secret-key pqsk --public-key pqpk"

rosenpass gen-keys --secret-key ~~client.~~pqsk --public-key ~~client.~~pqpk

ssh root@client "cd /var/secrets/rp && rosenpass gen-keys --secret-key pqsk --public-key pqpk"

rosenpass gen-keys --secret-key ~~server.~~pqsk --public-key ~~server.~~pqpk

~~# Keys for WireGuard~~

ssh root@server "cd /var/secrets/wg && wg genkey | tee wgsk | wg pubkey > wgpk"

wg genkey | tee ~~client.~~wgsk | wg pubkey > ~~client.~~wgpk

ssh root@client "cd /var/secrets/wg && wg genkey | tee wgsk | wg pubkey > wgpk"

wg genkey | tee ~~server.~~wgsk | wg pubkey > ~~server.~~wgpk

~~</syntaxHighlight>~~

~~You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection~~.

rsync root@server:/var/secrets/rp/pqpk server.pqpk

rsync root@client:/var/secrets/rp/pqpk client.pqpk

rsync --perms --chmod=644 server.pqpk root@client:/var/secrets/rp/server.pqpk

rsync --perms --chmod=644 client.pqpk root@server:/var/secrets/rp/client.pqpk

~~Copying the keypairs~~ is ~~also simple but a bit more tedious to get the file system permissions right:~~

ssh root@server "echo server wg pubkey is \$(cat /var/secrets/wg/wgpk)"

ssh root@client "echo client wg pubkey is \$(cat /var/secrets/wg/wgpk)"

</syntaxHighlight>

~~<syntaxHighlight lang="bash">~~

Note down the results of the last two printed lines as these are the public keys that need to be entered in the following NixOS configuration snippets.

~~ssh root@server "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"~~

~~rsync --perms --chmod=640 --chown=systemd-network:systemd-network server~~.~~wgsk root@server:/var/secrets/wg/wgsk~~

~~rsync --perms --chmod=640 server.pqsk root@server:/var/secrets/rp/pqsk~~

~~rsync --perms --chmod=640 server.pqpk root@server:/var/secrets/rp/pqpk~~

~~rsync --perms --chmod=644 client.pqpk root@server:/var/secrets/rp/~~

~~ssh root@client "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"~~

You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.

~~rsync --perms --chmod=640 --chown=systemd-network:systemd-network client~~.~~wgsk root@client:/var/secrets/wg/wgsk~~

~~rsync --perms --chmod=640 client.pqsk root@client:/var/secrets/rp/pqsk~~

~~rsync --perms --chmod=640 client.pqpk root@client:/var/secrets/rp/pqpk~~

~~rsync --perms --chmod=644 server.pqpk root@client:/var/secrets/rp/~~

~~</syntaxHighlight>~~

===Server setup===

Line 207:

Line 200:

rtt min/avg/max/mdev = 1.116/1.190/1.329/0.098 ms

$ ssh ~~server~~ "ping -c3 1:c:bad:c0de::1"

$ ssh client "ping -c3 1:c:bad:c0de::1"

PING 1:c:bad:c0de::1 (1:c:bad:c0de::1) 56 data bytes

64 bytes from 1:c:bad:c0de::1: icmp_seq=1 ttl=64 time=1.03 ms

Line 222:

Line 215:

==The <code>rosenpass0</code> device does not pop up==

This is most likely an issue in the non-~~Rosenpart~~ of the configuration.

This is most likely an issue in the non-Rosenpass part of the configuration.

Please have a look at the output of the command <code>systemctl status sytemd-network</code>.

If for example file permissions of the keys are too restrictive, then this will manifest as error messages here.

Line 230:

Line 223:

Even if the rosenpass0 device pops up, it still might be possible that Rosenpass observes errors during setup or connect.

Please have a look at the output of the command <code>systemctl status rosenpass</code>.

If for example file permissions of the keys are too restrictive, then this will manifest as error messages here.

=See also=

@@ Line 1: / Line 1: @@
-[https://rosenpass.eu// Rosenpass] implements a post-quantum-secure key exchange for use with e.g. [[WireGuard]].
+[https://rosenpass.eu/ Rosenpass] implements a post-quantum-secure key exchange for use with e.g. [[WireGuard]].
 =Setting up Rosenpass=
@@ Line 20: / Line 20: @@
 We will first need to generate and then distribute the keypairs.
-Creating the key pairs is simple:
+Creating the key pairs is simple, but to do this securely, it should happen on the respective hosts.
+This way it becomes a bit elaborate to distribute the public keys to the other respective peer:
 <syntaxHighlight lang="bash">
-nix-shell -p rosenpass wireguard-tools
+ssh root@server "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
-mkdir keys && cd keys
+ssh root@client "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
-# keys for Rosenpass
+ssh root@server "cd /var/secrets/rp && rosenpass gen-keys --secret-key pqsk --public-key pqpk"
-rosenpass gen-keys --secret-key client.pqsk --public-key client.pqpk
+ssh root@client "cd /var/secrets/rp && rosenpass gen-keys --secret-key pqsk --public-key pqpk"
-rosenpass gen-keys --secret-key server.pqsk --public-key server.pqpk
-# Keys for WireGuard
+ssh root@server "cd /var/secrets/wg && wg genkey | tee wgsk | wg pubkey > wgpk"
-wg genkey | tee client.wgsk | wg pubkey > client.wgpk
+ssh root@client "cd /var/secrets/wg && wg genkey | tee wgsk | wg pubkey > wgpk"
-wg genkey | tee server.wgsk | wg pubkey > server.wgpk
-</syntaxHighlight>
-You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.
+rsync root@server:/var/secrets/rp/pqpk server.pqpk
+rsync root@client:/var/secrets/rp/pqpk client.pqpk
+rsync --perms --chmod=644 server.pqpk root@client:/var/secrets/rp/server.pqpk
+rsync --perms --chmod=644 client.pqpk root@server:/var/secrets/rp/client.pqpk
-Copying the keypairs is also simple but a bit more tedious to get the file system permissions right:
+ssh root@server "echo server wg pubkey is \$(cat /var/secrets/wg/wgpk)"
+ssh root@client "echo client wg pubkey is \$(cat /var/secrets/wg/wgpk)"
+</syntaxHighlight>
-<syntaxHighlight lang="bash">
+Note down the results of the last two printed lines as these are the public keys that need to be entered in the following NixOS configuration snippets.
-ssh root@server "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
-rsync --perms --chmod=640 --chown=systemd-network:systemd-network server.wgsk root@server:/var/secrets/wg/wgsk
-rsync --perms --chmod=640 server.pqsk root@server:/var/secrets/rp/pqsk
-rsync --perms --chmod=640 server.pqpk root@server:/var/secrets/rp/pqpk
-rsync --perms --chmod=644 client.pqpk root@server:/var/secrets/rp/
-ssh root@client "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
+You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.
-rsync --perms --chmod=640 --chown=systemd-network:systemd-network client.wgsk root@client:/var/secrets/wg/wgsk
-rsync --perms --chmod=640 client.pqsk root@client:/var/secrets/rp/pqsk
-rsync --perms --chmod=640 client.pqpk root@client:/var/secrets/rp/pqpk
-rsync --perms --chmod=644 server.pqpk root@client:/var/secrets/rp/
-</syntaxHighlight>
 ===Server setup===
@@ Line 207: / Line 200: @@
 rtt min/avg/max/mdev = 1.116/1.190/1.329/0.098 ms
-$ ssh server "ping -c3 1:c:bad:c0de::1"
+$ ssh client "ping -c3 1:c:bad:c0de::1"
 PING 1:c:bad:c0de::1 (1:c:bad:c0de::1) 56 data bytes
 bytes from 1:c:bad:c0de::1: icmp_seq=1 ttl=64 time=1.03 ms
@@ Line 222: / Line 215: @@
 ==The <code>rosenpass0</code> device does not pop up==
-This is most likely an issue in the non-Rosenpart of the configuration.
+This is most likely an issue in the non-Rosenpass part of the configuration.
 Please have a look at the output of the command <code>systemctl status sytemd-network</code>.
 If for example file permissions of the keys are too restrictive, then this will manifest as error messages here.
@@ Line 230: / Line 223: @@
 Even if the rosenpass0 device pops up, it still might be possible that Rosenpass observes errors during setup or connect.
 Please have a look at the output of the command <code>systemctl status rosenpass</code>.
+If for example file permissions of the keys are too restrictive, then this will manifest as error messages here.
 =See also=