On 03/03/2018 04:27 AM, Moritz Bartl wrote:
On 03.03.2018 07:11, Roger Dingledine wrote:
Apparently the link from my blog post, to https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines no longer has any mention pro or con disk encryption. I wonder if that was intentionally removed by the torservers.net folks (maybe they have even changed their mind on the advice?), or if it just fell out because it's a wiki.
I added the recommendation for "no disk encryption" back then, and it wasn't me who removed it.
My own opinion has changed slightly: My general advice would still be to not do disk encryption, to reduce the amount of hassle and allow easier 'audits'. For additional protection, you better move the relay keys to a RAM disk.
However, in our case, we don't really care how long they keep the machines for analysis, and we do not reuse hardware that was seized (it goes back into the provider pool, so some other customer might be in for a surprise...). In that case, a relay operator may decide to use disk encryption for integrity reasons: They at least have to ask you for the decryption key and cannot silently copy content or easily manipulate the file system.
Personally, I think entire disk encryption just to protect the keys is way too much of a hassle. I completely agree with your solution - place the keys in a ramdisk, that's actually a great idea. I'll put that into what I'm building up right now.
Regards,
Conrad Rockenhaus