A few questions around node-to-node encryption with wireguard

I’m currently evaluating the usage of Wireguard to encrypt node-to-node traffic within my Kubernetes cluster according to Encrypt in-cluster pod traffic. Since we have a lot of internal security requirements, I have to answer a lot of questions. However, I’m struggling to find the information online. A few of those questions are:

  • How does Calico bootstrap Wireguard? By that I mean key generation and so on. Is everything fully automated?
  • How can keys be protected?

Thank you for taking time to answer my questions.