[tor-relays] Issues with offline master key functionality

s7r s7r at sky-ip.org
Wed Feb 3 16:53:54 UTC 2016

Hash: SHA256

Hello - see inline

On 2/3/2016 3:49 PM, Riccardo Mori wrote:
> Hi everyone,
> Two months ago I decided to try the new ed25519 key introduced in
> Tor 2.7 with OfflineMasterKey set so I can keep the master key in
> a different place and just upload the medium-term signing key every
> month. Last month everything went ok: I renewed the key and Tor
> accepted it. This time instead after generating the new signing key
> with
> # tor --datadirectory path_to_my_master_key --signingkeylifetime
> '1 months' --keygen

Why do you use such a value for SigningKeyLifetime when the default is
30 days already? You can just skip --signingkeylifetime and have
medium term signing key valid for 30 days (1 month). I am not totally
sure *1 months* is a valid argument here (could be, not sure) - why
not the default 30 days or more than 1 month?

Your problem is kind of strange so need to make sure of some things,
apologies in advance if the questions seam too obvious. Before
answering to all these make sure you try without --signignkeylifetime
or with other argument than *1 months* like 2 months, 6 months, 10
days, 30 days, etc.

- - path_to_my_master_key is the path to the folder containing a 'keys'
subfolder which contains the ed25519_master_id_secret_key or (_encrypted)?

- - the user running the 'tor --keygen' command has read/write
permissions to the targeted folder from --datadirectory?

- - is the date on the server where the 'tor --keygen' command runs correct?

- - fixing the permissions you mean changing the owner of the files to
the user actually running the Tor daemon on your system? (debian-tor,
_tor, etc.)

> and uploading ed25519_signing_cert and ed25519_signing_secret_key
> and fixing the permission, Tor keep saying
> Feb 03 07:27:40.000 [notice] It looks like I need to generate and
> sign a new medium-term signing key, because the one I have is
> expired. To do that, I need to load the permanent master identity
> key. Feb 03 07:27:40.000 [warn] We needed to load a secret key
> from /var/lib/tor/keys/ed25519_master_id_secret_key, but couldn't
> find it. Did you forget to copy it over when you copied the rest of
> the signing key material? Feb 03 07:27:40.000 [warn] Can't load
> master identity key; OfflineMasterKey is set. Feb 03 07:27:40.000
> [err] Error initializing keys; exiting
> That raises two questions to me: - why does Tor think the new keys
> are already expired? - why is Tor searching
> ed25519_master_id_secret_key? With OfflineMasterKey set it
> shouldn't care about the master secret key

It doesn't -- the only problem is that it warns when it shouldn't.
Only a log message issue which is known and reported here:


> Thank you, patacca
Version: GnuPG v2.0.22 (MingW32)


More information about the tor-relays mailing list