Decommissioning a FallbackDir node (punki)
Hi there, sadly after almost 6 years of good and honest service, our exit node punki[1] will be turned off. The provider is powering off the infrastructure where it is hosted, and has offered no viable alternative. We are writing this email in advance, since the node is in the FallbackDir list and embedded in Tor. The cluster will be powered off on 25th November. punki E43244684E0C924EC082B8ECC735FAF2F8CF1C45 Cheers Giulio [1] - https://metrics.torproject.org/rs.html#details/E43244684E0C924EC082B8ECC735F...
On Thursday, 3 October 2024 18:59 Osservatorio Nessuno via tor-relays wrote:
We are writing this email in advance, since the node is in the FallbackDir list and embedded in Tor. The cluster will be powered off on 25th November.
FallbackDir have been selected 'automatically' for some time now and 'punki' is then delisted when offline. But: FallbackDir can also move to another provider/host. Simply copy the Tor keys of the instance to the new host. I've done that several times. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Yes, you can do this, you need to back up the following two files:
secret_id_key ed25519_master_id_secret_key
But the problem I think is that while you can move your node, the old IP and port is still hardcoded into the Tor codebase. -GH On Thursday, October 3rd, 2024 at 9:24 PM, boldsuck via tor-relays <tor-relays@lists.torproject.org> wrote:
On Thursday, 3 October 2024 18:59 Osservatorio Nessuno via tor-relays wrote:
We are writing this email in advance, since the node is in the FallbackDir list and embedded in Tor. The cluster will be powered off on 25th November.
FallbackDir have been selected 'automatically' for some time now and 'punki' is then delisted when offline.
But: FallbackDir can also move to another provider/host. Simply copy the Tor keys of the instance to the new host. I've done that several times.
-- ╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi, thanks both for your input. On 03/10/2024 21:24, boldsuck via tor-relays wrote:
But: FallbackDir can also move to another provider/host. Simply copy the Tor keys of the instance to the new host. I've done that several times.
While we could, I would think it is not a great security practice migrate keys that were on an old, non updated provider cluster when building a new node elsewhere. That would double the risk of someone else having the secret keys (old provider, new provider instead of just the new provider). Giulio
No problem. You should default to full disk / partition encryption. The ArchLinux Wiki has (as usual) a great article on this: https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encrypting_devic... Also make sure to not use the standard hash library (SHA256) but SHA512 instead, and also use argon2id as PBKDF as it's slower and thus harder to brute-force your boot password. This way your new provider will not be able to obtain your new keys. Also, even if the old provider did indeed dump your HDD a while ago, the first / "real" relay to boot up with one descriptor / secret_key gets favored, the other / "fake" I believe I read a while back will not be allowed on to the network, but take this with a grain of salt. -GH On Friday, October 4th, 2024 at 11:51 PM, Osservatorio Nessuno via tor-relays <tor-relays@lists.torproject.org> wrote:
Hi, thanks both for your input.
On 03/10/2024 21:24, boldsuck via tor-relays wrote:
But: FallbackDir can also move to another provider/host. Simply copy the Tor keys of the instance to the new host. I've done that several times.
While we could, I would think it is not a great security practice migrate keys that were on an old, non updated provider cluster when building a new node elsewhere. That would double the risk of someone else having the secret keys (old provider, new provider instead of just the new provider).
Giulio _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Saturday, 5 October 2024 00:40 George Hartley via tor-relays wrote:
You should default to full disk / partition encryption.
Apart from that FDE is _not_ recommended, especially for Tor exits. What is the point of a 24/7/365 running cloud or KVM server that the admins can copy at any time? If you want to secure Cloud or KVM Tor server, you can use offline ed25519 identity keys.
On Friday, October 4th, 2024 at 11:51 PM, Osservatorio Nessuno via tor- relays <tor-relays@lists.torproject.org> wrote:
While we could, I would think it is not a great security practice migrate keys that were on an old, non updated provider cluster when building a new node elsewhere. That would double the risk of someone else having the secret keys (old provider, new provider instead of just the new provider).
You are absolutely right. I didn't even think about it because I almost only have dedicated servers. You will soon have it even better with the Rack @home. :-) When you have everything ready, I would be happy to see server/rack pictures and which CPUs you are using. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
I bought my physical own server, and colocated it in a room in a datacenter I have 24/7 access to. Also, I was not talking about KVM at any time? Maybe read my e-mail before replying, please. FDE on exits ON KVM's is discouraged because if the host has to reboot, your VM will be stuck at boot. However, most big organization running Tor nodes have either their own colocated servers like me (except I am not a big contributor) or dedicated servers giving you more options. I even have an intrusion (case-opening) sensor on my server which wipes RAM and kills power once activated. -GH On Sunday, October 6th, 2024 at 7:35 PM, boldsuck via tor-relays <tor-relays@lists.torproject.org> wrote:
On Saturday, 5 October 2024 00:40 George Hartley via tor-relays wrote:
You should default to full disk / partition encryption.
Apart from that FDE is not recommended, especially for Tor exits. What is the point of a 24/7/365 running cloud or KVM server that the admins can copy at any time? If you want to secure Cloud or KVM Tor server, you can use offline ed25519 identity keys.
On Friday, October 4th, 2024 at 11:51 PM, Osservatorio Nessuno via tor-
relays tor-relays@lists.torproject.org wrote:
While we could, I would think it is not a great security practice migrate keys that were on an old, non updated provider cluster when building a new node elsewhere. That would double the risk of someone else having the secret keys (old provider, new provider instead of just the new provider).
You are absolutely right. I didn't even think about it because I almost only have dedicated servers. You will soon have it even better with the Rack @home. :-) When you have everything ready, I would be happy to see server/rack pictures and which CPUs you are using.
-- ╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (3)
-
boldsuck -
George Hartley -
Osservatorio Nessuno