man: note handling of secret information with permissions

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2024-11-23 18:23:32 +08:00 · 2018-01-29 20:43:30 +01:00 · 2018-01-29 20:43:30 +01:00 · a8d6dbedca
commit a8d6dbedca
parent 3209474fcb
1 changed files with 8 additions and 2 deletions
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@ -1025,7 +1025,10 @@
          <para>The Base64 encoded private key for the interface. It can be
            generated using the <command>wg genkey</command> command
            (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
-            This option is mandatory to use WireGuard.</para>
+            This option is mandatory to use WireGuard.
+            Note that because this information is secret, you may want to set
+            the permissions of the .netdev file to be owned by <literal>root:systemd-networkd</literal>
+            with a <literal>0640</literal> file mode.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
@ -1070,7 +1073,10 @@
            by the <command>wg genpsk</command> command. This option adds an
            additional layer of symmetric-key cryptography to be mixed into the
            already existing public-key cryptography, for post-quantum
-            resistance.</para>
+            resistance.
+            Note that because this information is secret, you may want to set
+            the permissions of the .netdev file to be owned by <literal>root:systemd-networkd</literal>
+            with a <literal>0640</literal> file mode.</para>
        </listitem>
      </varlistentry>
      <varlistentry>