Welcome to the documentation page for Rosenpass. This guide contains the manual pages, slides from various presentations, as well as links to both our scientific whitepaper and the github repository for the Rosenpass source code.

What is Rosenpass?

Rosenpass is a daemon, that, given a private key and a list of peers, performs a key exchange with each peer. The resulting shared secrets are given to WireGuard using its PSK feature – WireGuard remains as secure as it was, Rosenpass adds protection against quantum computers. Rosenpass can also write the shared secrets to files; this can be used to integrate Rosenpass with tools other than WireGuard.

Who is Rosenpass for?

Rosenpass is for everyone who wants secure encryption, particularly in a world where "store now, decrypt later" attacks are considered to be a present threat. If your data is being encrypted with methods that are not post-quantum secure, that data may already be vulnerable to harvest attacks relying on future access to quantum computing. The goal of Rosenpass is to protect everyone from that future, much as classical encryption methods protect everyone in a pre-quantum world. That said, there is a skill-floor to using the currently available implementations of Rosenpass. Typically, developers with some experience of manually configured VPNs will have the easiest time setting up the Rosenpass daemon, particularly those using specific versions of Linux. Support for further systems is actively being researched, but is not currently imminent.

Quick Start

If you simply want to get Rosenpass up and running quickly, you are best served using the Quick Start Guide. It contains everything you need to download, configure, and start a WireGuard connection using the Rosenpass key exchange.

Which systems are supported by Rosenpass?

Rosenpass currently provides packages and static binaries for several Linux distributions, as shown here:

What planned features are on the way?

  • Cunicu integration: Cunicu is a user-space daemon for managing WireGuard connections for small devices. We intend to integrate post-quantum security into that daemon via Rosenpass
  • Docker and micro-VM implementations: We are currently working on using micro-VMs to reduce the scope of system privileges Rosenpass needs to run
  • Hacspec integration: Hackspec is a rust-based language designed by Cryspen to enable the use of several formal verification tools that enable high-assurance cryptography
  • NetBird partnership: We are working with NetBird to produce a commercially-ready VPN service that is post-quantum secure
  • Golang implementation of Rosenpass: Our initial implementation of Rosenpass is written in Rust, but we are working on an alternative, compatible Golang-built implementation to increase diversity and reach new platforms. It is called go-rosenpass.

Current Version Release Notes


  • Improved code quality by applying clippy lints
  • Removed unnecessary unsafe keyword instances
  • Addressed stack overflow based test failure using the stacker crate
  • Added fix to reap lingering wireguard child-processes
  • Updated manpage
  • Split code into subcrates, added cargo workspace
  • Repaired benchmark code
  • Added a couple more unit tests