On 10 Nov 2015, at 14:03, Sean Greenslade sean@seangreenslade.com wrote:
On Tue, Nov 10, 2015 at 12:40:19AM +0000, Tim Sammut wrote:
I meant is it possible for a relay operator to detect if a snapshot of a running VM or VPS has been taken? Asked slightly differently, if I have a relay running as a VPS or VM, can I somehow detect if my provider took a snapshot of the relay without informing me?
Probably not. With most VM solutions, storage is pretty well abstracted from the virtual guests. I know that with Xen and OpenVZ, the typical way storage is provided (loopbacks) gives no way for the guest to see what the hypervisor is doing to the data. Furthermore, if the data is on a SAN, there's even more ways that the data can be snooped at without informing the guest of such activities.
You could use an encrypted disk partition for key storage, but that only protects the keys "at rest", and not in memory.
There is also ongoing development work on offline ed25519 master identity keys. The master key need never be stored on the server itself. Instead, it is used to certify a number of medium-term signing keys, and those keys are then sent to the server. An operator can limit the scope of compromise to the number of signing keys on the server.
An operator can transmit the next signing key just before the previous one expires, limiting the scope of compromise to a single signing key.
There is also work on key revocation, where a key can be cancelled in the event of compromise.
See https://trac.torproject.org/projects/tor/ticket/13642 https://trac.torproject.org/projects/tor/ticket/13642 for more details.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F