COMMANDS

keygen private-key <file-path> public-key <file-path>

Generate a keypair to use in the exchange command later. Send the public-key file to your communication partner and keep the private-key file secret!

exchange private-key <file-path> public-key <file-path> [OPTIONS] PEERS

Start a process to exchange keys with the specified peers. You should specify at least one peer.

Its OPTIONS are as follows:

listen <ip>[:<port>]

Instructs rosenpass to listen on the specified interface and port. By default, rosenpass will listen on all interfaces and select a random port.

verbose

Extra logging.

PEER

Each PEER is defined as follows: "peer public-key <file-path> [endpoint <ip>[:<port>]] [preshared-key <file-path>] [outfile <file-path>] [wireguard <dev> <peer> <extra_params>]"

Providing a PEER instructs rosenpass to exchange keys with the given peer and write the resulting PSK into the given output file. You must either specify the outfile or wireguard output option.

The parameters of PEER are as follows:

endpoint <ip>[:<port>]

Specifies the address where the peer can be reached. This will be automatically updated after the first successful key exchange with the peer. If this is unspecified, the peer must initiate the connection.

preshared-key <file-path>

You may specify a pre-shared key which will be mixed into the final secret.

outfile <file-path>

You may specify a file to write the exchanged keys to. If this option is specified, rosenpass will write a notification to standard out every time the key is updated.

wireguard <dev> <peer> <extra_params>

This allows you to directly specify a wireguard peer to deploy the pre-shared-key to. You may specify extra parameters you would pass to "wg set" besides the preshared-key parameter which is used by rosenpass. This makes it possible to add peers entirely from rosenpass.