Post-Quantum Secure
Rosenpass is a key-exchange protocol using techniques that are secure against attacks from quantum computers.
It achieves the same security guarantees as WireGuard, using two strong post-quantum key exchange methods – Classic McEliece and Kyber.
Works with WireGuard
To use Rosenpass, you don't have to get rid of WireGuard; Rosenpass handles post-quantum security, WireGuard handles pre-quantum security and high-speed data transmission.
Free and Open Source
Rosenpass is Free and Open Source Software under the Apache 2.0 and MIT license and developed by hackers and researchers.
Getting started
Getting Help
- The
rp
bash program is used to build a VPN with WireGuard and Rosenpass. You can inspect how the tool integrates thewg
WireGuard frontend and therosenpass
tool that implements our cryptography using theexplain
flag.
$ rp explain genkey mykey
#! /bin/bash
set -e
umask 077
mkdir -p mykey
wg genkey > mykey/wgsk
rosenpass keygen \
private-key mykey/pqsk \
public-key mykey/pqpk
- Since Rosenpass was released very recently, packaging is an ongoing process. We will provide packages for debian, nix, arch linux, and possibly alpine. You can follow the process in the README.
(arch AUR) $ aura -A rosenpass-git
(nix-flake) $ nix profile install github:rosenpass/rosenpass#rosenpass
(cargo) $ cargo install rosenpass
- To get more information about command line parameters used by the tools, you can ask the tools for help:
rp help
rosenpass help
Generate and Use Rosenpass Keys
- Start by generating secret keys on both hosts:
user@server:~$
rp genkey server.rosenpass-secret
user@client:~$
rp genkey client.rosenpass-secret
- Extract the public keys:
user@server:~$
rp pubkey server.rosenpass-secret server.rosenpass-public
user@client:~$
rp pubkey client.rosenpass-secret client.rosenpass-public
- Copy the
-public
directories to the other peers and then start the VPN:
• On the server:
user@server:~$
sudo rp exchange server.rosenpass-secret dev rosenpass0 listen 192.168.0.1:9999 \
peer client.rosenpass-public allowed-ips fe80::/64
• On the client:
user@client:~$
sudo rp exchange client.rosenpass-secret dev rosenpass0 \
peer server.rosenpass-public endpoint 192.168.0.1:9999 allowed-ips fe80::/64
- Assign IP addresses:
user@server:~$
sudo ip a add fe80::1/64 dev rosenpass0
user@client:~$
sudo ip a add fe80::2/64 dev rosenpass0
- Test the connection by pinging the server on the client machine:
user@client:~$
ping fe80::1%rosenpass0
- You can watch how Rosenpass replaces the WireGuard PSK with the following command:
watch -n 0.2 'wg show all; wg show all preshared-keys'
License
The Rosenpass software is subject to the Apache License Version 2.0, January 2004 and the MIT License with attribution
The content of this website is published under a Creative Commons license:
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)