Keystore¶
The Infix keystore is a centralized storage system for cryptographic keys used throughout the system. It is based on the IETF standards RFC 9641 (Keystore) and RFC 9640 (Cryptographic Types), with Infix extensions for WiFi and WireGuard key formats.
Overview¶
The keystore supports two types of cryptographic keys:
-
Asymmetric Keys — public/private key pairs used for:
- SSH host authentication (RSA keys)
- WireGuard VPN tunnels (X25519 keys)
-
Symmetric Keys — shared secrets used for:
- WiFi authentication (WPA2/WPA3 pre-shared keys)
- WireGuard VPN pre-shared keys
All keys are stored under the ietf-keystore configuration path and can be
managed via CLI, NETCONF, or RESTCONF.
Supported Formats¶
| Asymmetric Key Format | Use Case | Key Type |
|---|---|---|
rsa-private-key-format / ssh-public-key-format |
SSH host keys | RSA |
x25519-private-key-format / x25519-public-key-format |
WireGuard VPN | Curve25519 |
| Symmetric Key Format | Use Case |
|---|---|
passphrase-key-format |
Human-readable passphrases (WiFi) |
octet-string-key-format |
Raw symmetric keys (WireGuard) |
Asymmetric Keys¶
Asymmetric keys consist of a public/private key pair. The public key can be shared freely, while the private key must be kept secure.
SSH Host Keys¶
SSH host keys identify the system during SSH and NETCONF connections. The
default host key is automatically generated on first boot and stored in the
keystore with the name genkey.
See SSH Management for details on generating and importing custom SSH host keys.
WireGuard Keys¶
WireGuard uses X25519 elliptic curve cryptography for key exchange. Each WireGuard interface requires a public/private key pair stored as an asymmetric key in the keystore. Key pairs can be generated directly from the CLI:
admin@example:/> wireguard genkey
Private: aMqBvZqkSP5JrqBvZqkSP5JrqBvZqkSP5JrqBvZqkSP=
Public: bN1CwZ1lTP6KsrCwZ1lTP6KsrCwZ1lTP6KsrCwZ1lTP=
See WireGuard VPN for key generation and configuration examples.
Symmetric Keys¶
Symmetric keys are shared secrets where the same key must be configured on all systems that need to communicate.
WiFi Pre-Shared Keys¶
WiFi networks secured with WPA2 or WPA3 use pre-shared keys stored as
symmetric keys in the keystore with passphrase-key-format. The
passphrase must be 8-63 printable ASCII characters.
Since symmetric keys are stored as binary (base64-encoded), the CLI
provides the change command to enter passphrases interactively:
admin@example:/config/keystore/…/my-wifi-key/> change cleartext-symmetric-key
Passphrase: ************
Retype passphrase: ************
See WiFi for complete configuration examples.
WireGuard Pre-Shared Keys¶
WireGuard supports optional pre-shared keys (PSK) that add a layer of
symmetric encryption alongside Curve25519. PSKs use the standard IETF
octet-string-key-format (32 random bytes). This provides defense-in-depth
against future quantum computers that might break elliptic curve cryptography.
Note, however, that WireGuard’s authentication and initial key agreement
remain Curve25519-based, so PSKs only protect the session encryption,
not the handshake itself.
PSKs can be generated directly from the CLI:
admin@example:/> wireguard genpsk
cO2DxZ2mUQ7LtsrDxZ2mUQ7LtsrDxZ2mUQ7LtsrDxZ2m=
See WireGuard VPN for PSK generation and usage examples.
Viewing Keys¶
The show keystore command in admin-exec mode gives an overview of all
keys in the keystore. Passphrases (WiFi passwords) are decoded and shown
in cleartext, while binary keys (WireGuard PSKs) are shown as base64:
admin@example:/> show keystore
────────────────────────────────────────────────────────────────────────
Symmetric Keys
NAME FORMAT VALUE
my-wifi-key passphrase MySecretPassword
wg-psk octet-string zYr83O4Ykj9i1gN+/aaosJxQx...
────────────────────────────────────────────────────────────────────────
Asymmetric Keys
NAME TYPE PUBLIC KEY
genkey rsa MIIBCgKCAQEAnj0YinjhYDgYbEGuh7...
wg-tunnel x25519 bN1CwZ1lTP6KsrCwZ1lTP6KsrCwZ1...
To see the full (untruncated) details of a specific key, use the
symmetric or asymmetric qualifier with the key name:
admin@example:/> show keystore symmetric my-wifi-key
name : my-wifi-key
format : passphrase
value : MySecretPassword
admin@example:/> show keystore asymmetric genkey
name : genkey
algorithm : rsa
public key format : ssh-public-key
public key : MIIBCgKCAQEAnj0YinjhY...full key...IDAQAB
Note
The show keystore command is protected by NACM. Only users in the
admin group can view keystore data. Operator-level users will see a
message indicating that no keystore data is available.
The full configuration-mode view (including private keys) is still
available via configure and then show keystore:
admin@example:/config/> show keystore
Warning
The configuration-mode show keystore displays private keys in
cleartext. Be careful when viewing keys on shared screens or in
logged sessions. The admin-exec show keystore command never
displays private keys.
Deleting Keys¶
admin@example:/> configure
admin@example:/config/> delete keystore asymmetric-key mykey
admin@example:/config/> leave
Caution
Deleting a key that is referenced by a service (SSH, WireGuard, WiFi) will cause that service to fail. Verify the key is not in use before deletion.
Security Considerations¶
The keystore is protected by NACM (Network Access Control Model) rules.
Only users in the admin group can view or modify cryptographic keys.
See NACM for details on access control.
Private keys are stored in cleartext in the configuration database. Configuration files and backups containing the keystore should be treated as sensitive and protected accordingly.
Key Validation¶
Symmetric key values are stored as binary (base64-encoded). The system validates them based on their declared format:
passphrase-key-format: Used by WiFi, must decode to 8-63 ASCII charactersoctet-string-key-format: Used by Wireguard, must decode to exactly 32 bytes (256 bits)