SSL Keys + Identity of a Tor server
arma at mit.edu
Tue Jun 3 19:51:06 UTC 2008
On Tue, Jun 03, 2008 at 03:45:07PM -0400, dante wrote:
> 1) Do I need the secret_onion_key also? It appears to be regenerated
> occasionally so I assuming it doesn't matter for the identity of the
> node. I'm not sure what its function is which is what lead me to the
> original post.
You don't need to keep it. It gets rotated every week or so. Its function
is to be the encryption key that clients use when establishing a circuit
through you and making a session key. It is separate from the identity
key because it is good security practice to have different keys for
different roles. (That turns out to have been a smart move in light of
this particular security problem, even. :)
> 2) Is preserving the Nickname and the secret_id_key sufficient, as per
> the FAQ? In particular, if the IP address changes, does it matter?
nickname and secret_id_key are all it takes. IP address can change.
> 1) I'm thinking of moving my tor relay server to another IP address.
Sounds fine. Some relays get a new IP address every night automatically.
> 2) This server was an ubuntu box and was affected by the debian openssl
> flaw. It used to be flagged as "Named" in the listing, but ever since I
> regenerated the keys, it has remained unamed.
Yep. It will stay that way for several months until the old name<->key
> 3) I'm working on a (new) release of a ramdisk-only tor server (I posted
> about it before), but this time, I want to make sure that on reboots, it
> preserve all the necessary files to maintain the node's ID.
More information about the tor-talk