[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Encrypting the DataDir



> On 30 May 2017, at 04:07, Cristian Consonni <cristian@xxxxxxxxx> wrote:
> 
> On 15/05/2017 12:21, aeris wrote:
>> Private key are under encrypted volume and may be protected
> 
> On 21/05/2017 10:02, Roger Dingledine wrote:
>> On Sun, May 21, 2017 at 09:12:39AM +0200, Petrusko wrote:
>>> @aeris, do they ask you to uncrypt the volume ? (good luck to you...)
>>> What can be the best ? Uncrypt the relay to help police when asking,
>>> when this relay is only a relay and storing nothing else ?
>> 
>> That's actually why the torservers.net people suggest *not* using disk
>> encryption. Having no barriers makes it much easier for the police to
>> realize that there's nothing useful to them. See also point two of
>> 
> https://blog.torproject.org/blog/trip-report-tor-trainings-dutch-and-belgian-police
> 
> From the Tor Exit Guidelines:
> «Disk encryption might be useful to protect your node keys, but on the
> other hand unencrypted machines are easier to "audit" if required. We
> feel it's best to be able to easily show that you do Tor exiting, and
> nothing else (on that IP or server).»
> https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines
> 
> I was wondering if the argument about not encrypting the disk applies
> just to the full-disk encryption or if it is applicable also to the caso
> of encrypting just the DataDir on a fairly small file-based volume (say
> 100MB).
> 
> In the second case, how big can the DataDir get?

On a relay, the most sensitive content is in DataDir/keys.
You could encrypt that if you want to protect your keys when your
relay is powered off.

Or you could use OfflineMasterKey for the ed25519 keys, which is
even safer. (But doesn't do anything for the RSA keys.)

I wouldn't bother encrypting the entire DataDir, it contains
consensuses and descriptors, and (as of 0.3.1) will contain consensus
diffs and compressed consensuses, so it will get a bit larger.

The most sensitive part is probably the state file, but a relay's
guards are not that sensitive.

T
--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays