[tor-dev] Moving key material out of the main tor process

[Nick Mathewson]

On Wed, May 20, 2020 at 11:46 AM Linus Nordberg <linus at torproject.org> wrote:
>
> Hi,
>
> tl;dr How to move key material out of tor?
>
> ## The idea of a vault component
>
> ahf and others in the network team have been discussing the
> possibility of a "vault" component in tor, for moving private keys out
> of the tor process. Separating secret key material from the code
> handling data from the network seems valuable and providing a
> component making different implementations "pluggable" would allow for
> anyone to use their favourite technology without touching the tor
> code base. Examples are local trusted execution environments like Intel
> SGX and Arm TrustZone and various HSM's and security keys/tokens.
>
> One way of implementing this would be to define a protocol, for a
> vault component to talk to a daemon running on the same host as tor,
> over some IPC mechanism. This protocol would allow tor to request a
> signature over a hash, or a document, in a certain key. Whether the
> daemon has access to the key material or has to forward the request to
> a separate device or hardware component is irrelevant to the protocol
> and the vault component.
>
> Even if the design focuses on signatures it should probably take
> encryption and decryption into account, to be added later.


Hi!

I'm also +1 on this idea, and I think you're correct to hint that the
"vault" or "separate daemon" part doesn't have to be a tor-specific
tool.  Moving responsibilities out of the core Tor process should help
us make it harder for keys to leak.

One issue with the ssh-agent protocol as I see it is that it isn't
originally designed for decryption or for high-volume usage.  If we
want to support those in the future, we'll need to make sure that we
have an extension path for them in whatever vault tool we're using.

yrs,
-- 
Nick