WIRESEP-KEYGEN(1) General Commands Manual WIRESEP-KEYGEN(1)

wiresep-keygenkey generator for WireSep

wiresep-keygen [-o dir] tunN

wiresep-keygen [-o dir] -s global

wiresep-keygen [-o dir] -s tunN [peer ...]

wiresep-keygen can generate the two different types of keys that are used by wiresep(8) which are a private key or a pre-shared key. Each tunnel interface should have exactly one private key generated for it. Pre-shared keys can be used in different scopes, namely global, per interface or per peer. The use of pre-shared keys is optional in WireGuard, but when used add an additional layer of security that is quantum-proof.

In the first synopsis wiresep-keygen generates a private key. By default the key is stored in /etc/wireguard unless overridden with -o. The name of the file is tunN.privkey where tunN is the name of an interface, i.e. tun0.

In the second synopsis a global pre-shared key is generated that can be used on all configured interfaces with all peers that have no more specific overrides. By default the key is stored in /etc/wireguard/global.psk unless -o is used with a different dir.

In the third synopsis a pre-shared key is generated that is used for the specific tunN only, or with the specified peer on tunN only. By default the key for an interface is stored in /etc/wireguard/tunN.psk unless -o is used with a different dir. If any peer is specified then the key is stored in /etc/wireguard/tunN.peer.psk and override any interface specific or global pre-shared keys.

The wiresep-keygen utility exits 0 on success, and >0 if an error occurs.

wiresep.conf(5), wiresep(8)

Tim Kuijsten

March 30, 2020 OpenBSD 6.6