On 13 August 2013 11:51, Steve Snyder swsnyder@snydernet.net wrote:
Well, any VM host can mount and read an unencrypted disk image.
I guess the difference is ease of snooping. While access to disk contents and process info can be gotten by any hypervisor, some platforms make it easier than others.
Exactly, that's the name of the game here. Let's raise the bar. (Same with censorship bypassing - it's always going to be an arms race.)
What one person I respect does is
In my case, I keep all the keys and [other sensitive data] on a partition that's created with a random key at boot time. If the machine dies, the keys and messages are lost but, such is the reliability of Debian, this hasn't happened yet. I probably reboot about once a year on average and have to remember to take copies of these files prior to doing it.
So the hypervisor can, as always, look into the memory* of the running guest and get that data, but if they shut down the node or machine unexpectedly, you gain a little bit more security.
All that said... Tor nodes don't store state. You aren't keeping people's email, or even a pool of data for a couple of hours. So this level of security for a tor exit node is nice, but IMO you shouldn't _not_ do an exit node because you aren't ready to set up a complicated encrypted filesystem just yet.
-tom
* Steve Weis is a cryptographer who's working on a (commercial) product that encrypts memory. http://privatecore.com/