[14:15] <ahasenack> I see 4 advantages to using a PostUp hook to retrieve the private key
[14:15] <ahasenack> a) no secrets in a config file, so less accidental leakage when pasting that in a forum 
[14:15] <ahasenack> b) you can now store the config file in version control
[14:16] <ahasenack> c) you can encrypt the private key if you want, at the expense of having to type the password when bringing the interface up
[14:16] <ahasenack> d) you can finally give a meaningful name to that base64 encoded string: just name the file according to its intention (the peer)
[14:17] <ahasenack> all in favor?
[14:17] <ahasenack> initially I thought about showing this in a separate section, like "Tips", or "Security tips"
[14:18] <ahasenack> but I'm now thinking about flipping the guide to default to using this PostUp hook for the private key
[14:18] <ahasenack> perhaps just leave a note saying that you can also store the private key as is in the config, if you want
[14:18] <ahasenack> does it add too much complexity to someone who "just" wants to get wireguard up and running?
[14:18] <sdeziel> ahasenack: in d), "naming the file according to it's intention (the peer)" can be confusing as here peer, means the local machine (as in "us")
[14:19] <ahasenack> ah, yeah, it's us
[14:19] <sdeziel> aside from that small nit, I'm in favor ;)
[14:19] <ahasenack> so less so an advantage, but still good
[14:20] <sdeziel> for a), there is still the risk of having PresharedKey but those are optional to begin with
[14:20] <ahasenack> yeah, I didn't mention psk in the guide, unsure if I will
[14:20] <ahasenack> perhaps as a note
[14:20] <sdeziel> sounds fair to me
[14:21] <ahasenack> hm, splitting the key out of the config will probably break that app that generates a qr code for the mobile config
[14:21] <sdeziel> good point :/