diff --git a/cmd/derper/derper.go b/cmd/derper/derper.go
index 7fcaf5923..4fd6a0dbd 100644
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -31,7 +31,6 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
-	"tailscale.com/types/wgkey"
 )
 
 var (
@@ -70,12 +69,12 @@ func init() {
 }
 
 type config struct {
-	PrivateKey wgkey.Private
+	PrivateKey key.NodePrivate
 }
 
 func loadConfig() config {
 	if *dev {
-		return config{PrivateKey: mustNewKey()}
+		return config{PrivateKey: key.NewNode()}
 	}
 	if *configPath == "" {
 		if os.Getuid() == 0 {
@@ -101,21 +100,13 @@ func loadConfig() config {
 	}
 }
 
-func mustNewKey() wgkey.Private {
-	key, err := wgkey.NewPrivate()
-	if err != nil {
-		log.Fatal(err)
-	}
-	return key
-}
-
 func writeNewConfig() config {
-	key := mustNewKey()
+	k := key.NewNode()
 	if err := os.MkdirAll(filepath.Dir(*configPath), 0777); err != nil {
 		log.Fatal(err)
 	}
 	cfg := config{
-		PrivateKey: key,
+		PrivateKey: k,
 	}
 	b, err := json.MarshalIndent(cfg, "", "\t")
 	if err != nil {
@@ -152,7 +143,7 @@ func main() {
 
 	serveTLS := tsweb.IsProd443(*addr)
 
-	s := derp.NewServer(key.Private(cfg.PrivateKey), log.Printf)
+	s := derp.NewServer(cfg.PrivateKey.AsPrivate(), log.Printf)
 	s.SetVerifyClient(*verifyClients)
 
 	if *meshPSKFile != "" {