ROSENPASS(1) | General Commands Manual | ROSENPASS(1) |
NAME
rosenpass
— builds
post-quantum-secure VPNs
SYNOPSIS
rosenpass |
[COMMAND] [OPTIONS ...] [ARGS ...] |
DESCRIPTION
rosenpass
performs cryptographic key
exchanges that are secure against quantum-computers and then outputs the
keys. These keys can then be passed to various services, such as wireguard
or other vpn services, as pre-shared-keys to achieve security against
attackers with quantum computers.
This is a research project and quantum computers are not thought to become practical in fewer than ten years. If you are not specifically tasked with developing post-quantum secure systems, you probably do not need this tool.
COMMANDS
- gen-keys --secret-key <file-path> --public-key <file-path>
- Generate a keypair to use in the exchange command later. Send the public-key file to your communication partner and keep the private-key file secret!
- exchange private-key <file-path> public-key <file-path> [OPTIONS] PEERS
- Start a process to exchange keys with the specified peers. You should
specify at least one peer.
Its OPTIONS are as follows:
- listen <ip>[:<port>]
- Instructs
rosenpass
to listen on the specified interface and port. By default,rosenpass
will listen on all interfaces and select a random port. - verbose
- Extra logging.
PEER
Each PEER is defined as follows: "peer public-key <file-path> [endpoint <ip>[:<port>]] [preshared-key <file-path>] [outfile <file-path>] [wireguard <dev> <peer> <extra_params>]"
Providing a PEER instructs
rosenpass
to exchange keys with the given peer and
write the resulting PSK into the given output file. You must either specify
the outfile or wireguard output option.
The parameters of PEER are as follows:
- endpoint <ip>[:<port>]
- Specifies the address where the peer can be reached. This will be automatically updated after the first successful key exchange with the peer. If this is unspecified, the peer must initiate the connection.
- preshared-key <file-path>
- You may specify a pre-shared key which will be mixed into the final secret.
- outfile <file-path>
- You may specify a file to write the exchanged keys to. If this option is
specified,
rosenpass
will write a notification to standard out every time the key is updated. - wireguard <dev> <peer> <extra_params>
- This allows you to directly specify a wireguard peer to deploy the
pre-shared-key to. You may specify extra parameters you would pass to
"wg set" besides the preshared-key parameter which is used by
rosenpass
. This makes it possible to add peers entirely fromrosenpass
.
EXIT STATUS
The rosenpass
utility exits 0 on
success, and >0 if an error occurs.
SEE ALSO
Karolin Varner, Benjamin Lipp, Wanja Zaeske, and Lisa Schmidt, Rosenpass, https://rosenpass.eu/whitepaper.pdf, 2023.
STANDARDS
This tool is the reference implementation of the Rosenpass protocol, as specified within the whitepaper referenced above.
AUTHORS
Rosenpass was created by Karolin Varner, Benjamin Lipp, Wanja Zaeske, Marei Peischl, Stephan Ajuvo, and Lisa Schmidt.
This manual page was written by Clara Engler
BUGS
The bugs are tracked at https://github.com/rosenpass/rosenpass/issues.
September 16, 2024 | Debian |