Encrypting the DataDir
On 15/05/2017 12:21, aeris wrote:
Private key are under encrypted volume and may be protected
On 21/05/2017 10:02, Roger Dingledine wrote:
On Sun, May 21, 2017 at 09:12:39AM +0200, Petrusko wrote:
@aeris, do they ask you to uncrypt the volume ? (good luck to you...) What can be the best ? Uncrypt the relay to help police when asking, when this relay is only a relay and storing nothing else ?
That's actually why the torservers.net people suggest *not* using disk encryption. Having no barriers makes it much easier for the police to realize that there's nothing useful to them. See also point two of
https://blog.torproject.org/blog/trip-report-tor-trainings-dutch-and-belgian...
From the Tor Exit Guidelines: «Disk encryption might be useful to protect your node keys, but on the other hand unencrypted machines are easier to "audit" if required. We feel it's best to be able to easily show that you do Tor exiting, and nothing else (on that IP or server).» https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines
I was wondering if the argument about not encrypting the disk applies just to the full-disk encryption or if it is applicable also to the caso of encrypting just the DataDir on a fairly small file-based volume (say 100MB). In the second case, how big can the DataDir get? Cristian
Is there a clear threat model justifying use of disk encryption here? The decryption keys sit in system memory so an adversary with physical access will surely win. I just don't see the point. Also I do not have a sense for how big the data directory can get... so I'm not actually trying here to be helpful in the way you requested. Cheers, David On Mon, May 29, 2017 at 08:07:53PM +0200, Cristian Consonni wrote:
On 15/05/2017 12:21, aeris wrote:
Private key are under encrypted volume and may be protected
On 21/05/2017 10:02, Roger Dingledine wrote:
On Sun, May 21, 2017 at 09:12:39AM +0200, Petrusko wrote:
@aeris, do they ask you to uncrypt the volume ? (good luck to you...) What can be the best ? Uncrypt the relay to help police when asking, when this relay is only a relay and storing nothing else ?
That's actually why the torservers.net people suggest *not* using disk encryption. Having no barriers makes it much easier for the police to realize that there's nothing useful to them. See also point two of
https://blog.torproject.org/blog/trip-report-tor-trainings-dutch-and-belgian...
From the Tor Exit Guidelines: «Disk encryption might be useful to protect your node keys, but on the other hand unencrypted machines are easier to "audit" if required. We feel it's best to be able to easily show that you do Tor exiting, and nothing else (on that IP or server).» https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines
I was wondering if the argument about not encrypting the disk applies just to the full-disk encryption or if it is applicable also to the caso of encrypting just the DataDir on a fairly small file-based volume (say 100MB).
In the second case, how big can the DataDir get?
Cristian _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I just checked a handful of relays that have been running for months or years, and the DataDir ranged in size from 60 to 90 MB. They're all running debian or ubuntu. I also don't understand the point of encrypting this directory.
Me too not. If the machine is running, the content is always unencrypted. On 30.05.2017 20:30, tor wrote:
I just checked a handful of relays that have been running for months or years, and the DataDir ranged in size from 60 to 90 MB. They're all running debian or ubuntu.
I also don't understand the point of encrypting this directory.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 30 May 2017, at 04:07, Cristian Consonni <cristian@balist.es> wrote:
On 15/05/2017 12:21, aeris wrote:
Private key are under encrypted volume and may be protected
On 21/05/2017 10:02, Roger Dingledine wrote:
On Sun, May 21, 2017 at 09:12:39AM +0200, Petrusko wrote:
@aeris, do they ask you to uncrypt the volume ? (good luck to you...) What can be the best ? Uncrypt the relay to help police when asking, when this relay is only a relay and storing nothing else ?
That's actually why the torservers.net people suggest *not* using disk encryption. Having no barriers makes it much easier for the police to realize that there's nothing useful to them. See also point two of
https://blog.torproject.org/blog/trip-report-tor-trainings-dutch-and-belgian...
From the Tor Exit Guidelines: «Disk encryption might be useful to protect your node keys, but on the other hand unencrypted machines are easier to "audit" if required. We feel it's best to be able to easily show that you do Tor exiting, and nothing else (on that IP or server).» https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines
I was wondering if the argument about not encrypting the disk applies just to the full-disk encryption or if it is applicable also to the caso of encrypting just the DataDir on a fairly small file-based volume (say 100MB).
In the second case, how big can the DataDir get?
On a relay, the most sensitive content is in DataDir/keys. You could encrypt that if you want to protect your keys when your relay is powered off. Or you could use OfflineMasterKey for the ed25519 keys, which is even safer. (But doesn't do anything for the RSA keys.) I wouldn't bother encrypting the entire DataDir, it contains consensuses and descriptors, and (as of 0.3.1) will contain consensus diffs and compressed consensuses, so it will get a bit larger. The most sensitive part is probably the state file, but a relay's guards are not that sensitive. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Hi, thanks everybody for your replies. On 30/05/2017 15:52, dawuud wrote:
Is there a clear threat model justifying use of disk encryption here?
On 30/05/2017 15:52, dawuud wrote:> The decryption keys sit in system memory so an adversary with physical
access will surely win. I just don't see the point. On 30/05/2017 20:30, tor wrote: I also don't understand the point of encrypting this directory.
On 30/05/2017 20:40, diffusae wrote:
Me too not.
If the machine is running, the content is always unencrypted.
On 31/05/2017 02:41, teor wrote:
On a relay, the most sensitive content is in DataDir/keys. You could encrypt that if you want to protect your keys when your relay is powered off.
I was asking mostly out of curiosity, I do not have a specific threat in mind, but I was following the scenario "node is seized" like it has recently happened for some of the relays and was announced on this list[1a][1b]. My relays are running as VPSes on a third-party provider, so - yeah - they are exposed to attacks from the providers themselves. But I have to trust them in any case, anyhow, don't I? I understand that what I am getting is very limited. It basically works if the provider decides to shut down the machine or I am able to shut down the machine before it is seized/analysed. And again, if I know (i.e. I am notified) that the machine is seized, whether it is running or not I can always write here to ask that node to be cut out of the network. So, the difference is that *if* the machine is shut down before it is inspected then I just have a little more time to ask for the node to be removed. Is this correct? In the end, probably this is quite some hassle for very little gain. On 31/05/2017 02:41, teor wrote:
Or you could use OfflineMasterKey for the ed25519 keys, which is even safer. (But doesn't do anything for the RSA keys.)
I will probably set up the OfflineMasterKey (I still have a couple of questions, see the other thread).
I wouldn't bother encrypting the entire DataDir, it contains consensuses and descriptors, and (as of 0.3.1) will contain consensus diffs and compressed consensuses, so it will get a bit larger.
The most sensitive part is probably the state file, but a relay's guards are not that sensitive.
Encrypting the whole DataDir seemed to me the only viable configuration given that in torrc you can only specify where the DataDir is. Cristian [1a]: https://lists.torproject.org/pipermail/tor-relays/2017-May/012281.html [1b]: https://lists.torproject.org/pipermail/tor-relays/2017-May/012406.html
On 31 May 2017, at 21:36, Cristian Consonni <cristian@balist.es> wrote:
I wouldn't bother encrypting the entire DataDir, it contains consensuses and descriptors, and (as of 0.3.1) will contain consensus diffs and compressed consensuses, so it will get a bit larger.
The most sensitive part is probably the state file, but a relay's guards are not that sensitive.
Encrypting the whole DataDir seemed to me the only viable configuration given that in torrc you can only specify where the DataDir is.
If you're using a Unix-based OS, you can encrypt any path: 1. prepare encrypted partition 2. copy keys to encrypted partition 3. make a backup of keys 4. remove contents of keys 5. umount <encrypted partition> 6. mount <encrypted partition> /var/lib/tor/keys T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
participants (5)
-
Cristian Consonni -
dawuud -
diffusae -
teor -
tor