[tor-relays] Disk encryption for relays [was: FreeBSD 11.1 ZFS Tor Image]

Roger Dingledine arma at mit.edu
Sat Mar 3 06:11:12 UTC 2018


On Tue, Feb 27, 2018 at 12:09:36PM -0500, Otheontelth wrote:
> Why would it be important to encrypt the storage of your tor server?
> For me this  looks like it only complicates things if law enforcement wants to take a look at your server and the cloud provider should be able to break the encryption relative easy  or can simply  take a memory dump

I think there's a good argument for not using disk encryption for your
relay, especially for your exit relay.

The reasoning is that if some law enforcement group shows up to steal
your computer, everything will go more smoothly if it's easy for them
to conclude that there's no useful evidence on the disk.

In that scenario, an encrypted disk means a much longer wait before they
move on from thinking you're the bad person.

(I'd say "a much longer wait before they give your hardware back", but
while that's probably true too, it's hard to imagine a scenario where
they steal your computer for a while, and then give it back, and you still
want to trust it for running a relay or doing anything else interesting.)

Capturing the on-disk keys from a relay will let them impersonate the
relay in the future, but it shouldn't help them with decrypting past
circuits or with deanonymizing what people did in the past:
https://www.torproject.org/docs/faq#KeyManagement

For those developer types wanting to help out here, check out this ticket:
https://trac.torproject.org/13705
"Allow relays to promise in their descriptor that their IP address
won't change"
which would make it so people who steal the keys for large stable guards
can't just put them back online somewhere else and have clients resume
connecting to them.

For other context, see also the "what if a bad guy runs a Tor exit relay
to provide plausible deniability" paragraph in
https://blog.torproject.org/trip-report-tor-trainings-dutch-and-belgian-police
Apparently the link from my blog post, to
https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines
no longer has any mention pro or con disk encryption. I wonder if that
was intentionally removed by the torservers.net folks (maybe they have
even changed their mind on the advice?), or if it just fell out because
it's a wiki.

--Roger



More information about the tor-relays mailing list