WireGuard key rotation

Reading
2 mins
Category
Connection

We often get asked if it is possible to “rotate” or “regenerate” the WireGuard keys used to secure connections when using the WireGuard VPN protocol. That is, replace old keys with new keys.

It is possible to manually rotate the Wireguard peer keys (usually stored in the WireGuard configuration files) used for Proton VPN connections if you wish. But doing so is rarely useful. In this article we explain why.

Why rotating WireGuard keys is rarely useful

The WireGuard peer keys cannot be sniffed(new window) without the handshake being decrypted, and this is not possible unless an attacker has access to the private key of the VPN server you connect to. Needless to say, this is stored very securely.

These peer keys serve primarily to verify that the user account is valid and to establish an identity that allows session keys to be agreed. It is these session keys, rather than the keys stored in the WireGuard configuration files, that encrypt your internet traffic

They are automatically generated by WireGuard itself whenever a new handshake occurs. Which is every two minutes.

When rotating peer keys might be useful

The only situation where rotating WireGuard peer keys might be useful is if your device has been compromised in some way. 

How to rotate keys

Whenever you log out of a Proton VPN app (or revoke your session(new window) in Proton Mail settings), the keys stored in the WireGuard configuration files for that app are revoked and cannot be used again. When you log back in again, a new key pair is generated.

You can therefore manually “rotate” or regenerate WireGuard peer keys simply by logging out of the VPN app and then logging back in again.