New WireGuard private key begins 'WEAK' - is this a warning?

Question

I generated a WireGuard key in a virtual machine using the standard procedure wg genkey | tee privatekey | wg pubkey > publickey. The VM is running via KVM with virtio RNG backed by /dev/urandom.

The private key that was generated looks like this:

WEAKqv5b*****************************SS5w2M= (Asterisks added by me, the censored characters look like normal randomness)

Is there a special meaning to a key that begins WEAK? Or is this just a case of humans finding patterns in randomness?

I generated a new key out an abundance of caution, and it does not exhibit this pattern.

I'd say you had 1/2^21 chance of generating a key starting with `WEAK`. — A.B, Jan 15 '22 at 13:34

score 3 · Answer 1 · answered Jan 21 '22 at 04:46

That's a funny coincidence, but WireGuard isn't trying to tell you anything -- it just reads 32 bytes from /dev/urandom, and uses whatever comes out as the key (after a tiny bit manipulation to make it ready for Curve25519). In this case, the first 3 bytes, when base64 encoded, happened to spell WEAK.

New WireGuard private key begins 'WEAK' - is this a warning?

1 Answers1