[tor-relays] Issues with offline master key functionality

Riccardo Mori patacca at autistici.org
Wed Feb 3 18:17:09 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thank you s7r for helping!

On 03/02/2016 17:53, s7r wrote:
> Hello - see inline
> 
> On 2/3/2016 3:49 PM, Riccardo Mori wrote:
>> Hi everyone,
> 
>> Two months ago I decided to try the new ed25519 key introduced
>> in Tor 2.7 with OfflineMasterKey set so I can keep the master key
>> in a different place and just upload the medium-term signing key
>> every month. Last month everything went ok: I renewed the key and
>> Tor accepted it. This time instead after generating the new
>> signing key with
> 
>> # tor --datadirectory path_to_my_master_key --signingkeylifetime 
>> '1 months' --keygen
> 
> 
> Why do you use such a value for SigningKeyLifetime when the default
> is 30 days already? You can just skip --signingkeylifetime and
> have medium term signing key valid for 30 days (1 month). I am not
> totally sure *1 months* is a valid argument here (could be, not
> sure) - why not the default 30 days or more than 1 month?


I wasn't sure about the default value and in case that after an update
the default value were changed mine would still be 1 month.
Anyway there's no important reason.

In the two text files attached there's the history of the commands I
typed (made with script), so if you want you can find more details there
.
I am going to reply to your question here anyway


> - path_to_my_master_key is the path to the folder containing a
> 'keys' subfolder which contains the ed25519_master_id_secret_key or
> (_encrypted)?
> 
> - the user running the 'tor --keygen' command has read/write 
> permissions to the targeted folder from --datadirectory?


yes to both of them, the folder contains
ed25519_master_id_secret_key_encrypted and ed25519_master_id_public_key


> - is the date on the server where the 'tor --keygen' command runs
> correct?


Yeah, the date is synchronized with ntp in both systems (the Tor node
and my laptop that contains the master key), the only thing that could
be an issue is that the two systems are on different time zones: one
is UTC+1 and the other is CST (UTC-6)


> - fixing the permissions you mean changing the owner of the files
> to the user actually running the Tor daemon on your system?
> (debian-tor, _tor, etc.)

yes, it's debian-tor, Tor node is running on debian 8.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWskQYAAoJEE1LNuolWAxgQr0QAISu2/uDFJaRQOCpT3IAeR1i
KOLCZn0+V/0AOWQHnDH58/KT3m4cqE8ELhJLD3zuWJUqZI6ABr8r8wP30bJVW8JO
hjhaECK88ziwmk+7JR9MNugnbfTDHCyl+PYkSJZTfal04sdY59JaOWTgyHHp1c/P
UxXbvbGawxDPvlR+WvphsVgXcy3C4Ws3P5Xxkdk5P9jwAYn5rTCVWT4/2KpokHGr
wUxsxDPM/Z13oOaKIPkFp+/4zzWf0GhiCVT6x3OrG27z1+9aweMhlt/tgRMC5dQC
d8NE/tTLqnPVOtS/9PICKmpUwI0IswQSGmEaNOPho8yraZltFEpAcZyhV4MkzrdX
rnfX+DV7aYL8rICDuggh9GbSvqgFiD3Y0y8ZN12K1Po+mkb55DTiLd1sUh3yAGUk
HWbV+LipVIjlkn7wLKL9Ehi5+v2v3e0YnGHNdX4skCrdVV2i9lv+ts2j6mmUg2DE
xD0wmolVZCXxJ6il9IdFGC63Dghp1kofeDvFbULsnk410IyDdz1f8BngVmfJjksb
EwoSjktOQW0U2lEgZpADS9//Y8nCnivju6MjWkwg0WKRW3BHnu11byIhGxWjFOAx
AxPPSm07uMyn+ShEJjFCY/ccRp8n+s0Ki6m1cOoZQou+R/qa4b0yof5XMqk9NBLq
33zWVJlySKIsWU1Ia6nd
=n4Z0
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patacca-laptop.log
Type: text/x-log
Size: 5130 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160203/0f7b1f27/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tornode.log
Type: text/x-log
Size: 12007 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160203/0f7b1f27/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patacca-laptop.log.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160203/0f7b1f27/attachment-0002.sig>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tornode.log.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160203/0f7b1f27/attachment-0003.sig>

More information about the tor-relays mailing list