[tor-bugs] #28000 [Core Tor/Tor]: Add support for performing signing operations using ssh-agent

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 11 08:45:27 UTC 2018 

#28000: Add support for performing signing operations using ssh-agent
--------------------+------------------------------
 Reporter:  ln5     |          Owner:  ln5
     Type:  task    |         Status:  assigned
 Priority:  Medium  |      Component:  Core Tor/Tor
  Version:          |       Severity:  Normal
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
 Reviewer:          |        Sponsor:
--------------------+------------------------------
 It would be nice if private keys on disk could be protected better. One
 way of doing this is to add support in tor for communicating with ssh-
 agent for signing operations instead of accessing the secret key itself by
 reading it from an unencrypted file stored on disk.

 From the operators perspective, this would require i) running ssh-agent
 and ii) adding key(s) to the agent before starting tor.

 ssh-agent binds to a UNIX domain socket which tor would open and
 communicate over using the protocol specified in
 https://tools.ietf.org/html/draft-miller-ssh-agent-02.

 I propose that configuration options are added for relevant keys and that
 the format include a type field specifying how to access the key. The type
 field would be separated from the rest of the option value by `:`. The two
 defined options would be `file` and `ssh-agent`. File type keys would have
 a path specification and ssh-agent keys would have a public key in Base64
 (and an optional `PKCS #11` provider name if that shows to be necessary to
 accommodate multiple simultaneous HSM devices). A key not mentioned in the
 configuration simply defaults to current tor behaviour (implying `file`
 type) for backward compatibility.

 It should be noted that an operator who's able to put secret keys on an
 encrypted volume, mounted at system startup, achieves a similar
 protection. An upside of the proposed approach is that keys can be moved
 to an external deviece (often called an HSM) that has a `PKCS #11`
 provider.

 Another way of achieving the single goal of encrypting keys on disk would
 be to allow for encrypted keys (presumably by storing them in `PKCS #8`
 format instead of `PKCS #1`) and somehow make tor read pass phrase(s) from
 somewhere when starting up.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28000>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list