-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/19/2015 12:19 AM, nusenu wrote:
background: I might want to integrate offline master key functionality into ansible-relayor [1].
I added (preliminary) OfflineMasterKey support to ansible-relayor [1] - in fact it will become the only option eventually as it make many things actually simpler, would be great if someone could take a look and let me know whether it looks reasonable.
The security critical parts are probably - key generation [2] - copying of key material to the relay [3]
I copy/expose the following files to the relay:
[ 'ed25519_master_id_public_key', 'ed25519_signing_cert', 'ed25519_signing_secret_key', 'secret_id_key', 'secret_onion_key', 'secret_onion_key_ntor']
When first setting up (new relay) or restoring the relay, yes. But when only renewing the ed25519 medium term signing key (if ansible-relayor will support this) you only need to copy/expose the following files to the relay: ed25519_signing_cert, ed25519_signing_secret_key If you also move secret_onion_key and secret_onion_key_ntor, it could mess Tor's internal automated key rotation, and the descriptors available to clients might become invalid, making it impossible for clients to extend circuits through this relay. That's why Tor keeps a .old version of these keys when rotating, so clients with older descriptors won't experience circuit failures when using this relay. To detect this, either the user will let ansible-relayor know if he is setting up a new relay / restoring a relay or just renewing the ed25519 keys for a running relay, either read Tor's $datadirectory/keys folder and if secret_id_key exists, assume the latter.
[1] https://github.com/nusenu/ansible-relayor/commit/2c4040df7848f382ced02b43f35...
[2]
https://github.com/nusenu/ansible-relayor/blob/2c4040df7848f382ced02b43f35ca...
[3]
https://github.com/nusenu/ansible-relayor/blob/2c4040df7848f382ced02b43f35ca...
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJWTepgAAoJEIN/pSyBJlsR43gH/ia9JcKUm2nfZk5cpK2U7pC5 YgpsZpp5iOrVSXjLRStPeWHWzo0XrRxMsZKAiVwft15ogeFIOU7yYC81U7okvIz/ xs2XXBG0FXZX9Oiv7r+f2MK77jZApEJAX6kE3c7mBdnHpjdc6IEitfPu95bkWj8I 2ETSIAwBiyMn4fnWZR8kt755hTzQpjexOBEYdCeEKxKD8DfIVU+TrYJrfhRbiXJQ l8vjXAGyRsMJYlfjPBR02eQ5K8e28Ux8WQQEDbDhckZQi7xh54lkgk5wf81/VOlu dHUxu60meukuJVNp4DZn92xSESh60LREVFrdy+/DGL1JSEXTUFZGF+Eh5olCv4U= =3hMg -----END PGP SIGNATURE-----