[tor-dev] OfflineMasterKey / ansible-relayor

s7r s7r at sky-ip.org
Thu Nov 19 15:27:28 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 11/19/2015 12:19 AM, nusenu wrote:
>> background: I might want to integrate offline master key
>> functionality into ansible-relayor [1].
> 
> I added (preliminary) OfflineMasterKey support to ansible-relayor
> [1] - in fact it will become the only option eventually as it make
> many things actually simpler, would be great if someone could take
> a look and let me know whether it looks reasonable.
> 
> The security critical parts are probably - key generation [2] -
> copying of key material to the relay [3]
> 
> I copy/expose the following files to the relay:
> 
> [ 'ed25519_master_id_public_key', 'ed25519_signing_cert', 
> 'ed25519_signing_secret_key', 'secret_id_key', 'secret_onion_key', 
> 'secret_onion_key_ntor']
> 
> 
When first setting up (new relay) or restoring the relay, yes. But
when only renewing the ed25519 medium term signing key (if
ansible-relayor will support this) you only need to copy/expose the
following files to the relay:

ed25519_signing_cert, ed25519_signing_secret_key

If you also move secret_onion_key and secret_onion_key_ntor, it could
mess Tor's internal automated key rotation, and the descriptors
available to clients might become invalid, making it impossible for
clients to extend circuits through this relay. That's why Tor keeps a
.old version of these keys when rotating, so clients with older
descriptors won't experience circuit failures when using this relay.

To detect this, either the user will let ansible-relayor know if he is
setting up a new relay / restoring a relay or just renewing the
ed25519 keys for a running relay, either read Tor's
$datadirectory/keys folder and if secret_id_key exists, assume the latter.

> 
> 
> [1] 
> https://github.com/nusenu/ansible-relayor/commit/2c4040df7848f382ced02b43f35ca8a9f07ab284
>
> 
[2]
> https://github.com/nusenu/ansible-relayor/blob/2c4040df7848f382ced02b43f35ca8a9f07ab284/tasks/configure.yml#L18
>
> 
[3]
> https://github.com/nusenu/ansible-relayor/blob/2c4040df7848f382ced02b43f35ca8a9f07ab284/tasks/configure.yml#L84
>
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJWTepgAAoJEIN/pSyBJlsR43gH/ia9JcKUm2nfZk5cpK2U7pC5
YgpsZpp5iOrVSXjLRStPeWHWzo0XrRxMsZKAiVwft15ogeFIOU7yYC81U7okvIz/
xs2XXBG0FXZX9Oiv7r+f2MK77jZApEJAX6kE3c7mBdnHpjdc6IEitfPu95bkWj8I
2ETSIAwBiyMn4fnWZR8kt755hTzQpjexOBEYdCeEKxKD8DfIVU+TrYJrfhRbiXJQ
l8vjXAGyRsMJYlfjPBR02eQ5K8e28Ux8WQQEDbDhckZQi7xh54lkgk5wf81/VOlu
dHUxu60meukuJVNp4DZn92xSESh60LREVFrdy+/DGL1JSEXTUFZGF+Eh5olCv4U=
=3hMg
-----END PGP SIGNATURE-----

More information about the tor-dev mailing list