Re: [tor-relays] Disk encryption for relays [was: FreeBSD 11.1 ZFS Tor Image]

3 Mar 2018


      Roger Dingledine:
...
Capturing the on-disk keys from a relay will let them impersonate the
relay in the future
To limit possibility to impersonate a relay in the future, operators can run in OfflineMasterKey mode
with a short SigningKeyLifetime (i.e. 5 days) and push key material via SSH to the relay. 
This will limit the ability of an attacker to impersonate the relays to 5 days in the worst case,
iff the attacker does not also compromise the host storing the Ed25519 master keys.
And if you actually want to do it: ansible-relayor does it by default (with 30 days SigningKeyLifetime).
-- 
https://mastodon.social/@nusenu
twitter: @nusenu_

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [tor-relays] Disk encryption for relays [was: FreeBSD 11.1 ZFS Tor Image]