[tor-relays] Disk encryption for relays [was: FreeBSD 11.1 ZFS Tor Image]
nusenu
nusenu-lists at riseup.net
Sat Mar 3 10:17:00 UTC 2018
Roger Dingledine:
> Capturing the on-disk keys from a relay will let them impersonate the
> relay in the future
To limit possibility to impersonate a relay in the future, operators can run in OfflineMasterKey mode
with a short SigningKeyLifetime (i.e. 5 days) and push key material via SSH to the relay.
This will limit the ability of an attacker to impersonate the relays to 5 days in the worst case,
iff the attacker does not also compromise the host storing the Ed25519 master keys.
And if you actually want to do it: ansible-relayor does it by default (with 30 days SigningKeyLifetime).
--
https://mastodon.social/@nusenu
twitter: @nusenu_
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180303/a77f1182/attachment.sig>
More information about the tor-relays
mailing list